display firewall ipv6 session table (All views)

Function

The display firewall ipv6 session table command displays IPv6 session tables.

Format

display firewall ipv6 session table [vsys vsys] [ source-zone source-zone | destination-zone destination-zone | { default-policy |policy policy-name } | source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | application application-type | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | slot slot-id cpu cpu-id | uniderection ] ^*

display firewall ipv6 session table verbose [ vsys vsys ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | application application-type | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | slot slot-id cpu cpu-id | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value | uniderection ] ^*

display firewall ipv6 session table all-systems [ source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | { local | remote } | slot slot-id cpu cpu-id | uniderection ] ^*

display firewall ipv6 session table verbose all-systems [ source { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | destination { inside start-ipv6-address [ to end-ipv6-address ] | global start-ipv6-address [ to end-ipv6-address ] } | protocol { id | tcp | udp | icmp | ah | esp | gre } | service service-type | source-port { inside inside-port-number | global global-port-number } | destination-port { inside inside-port-number | global global-port-number } | interface { interface-name | interface-type interface-number } | vlan vlan-id | created-in time | long-link | { local | remote } | slot slot-id cpu cpu-id | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value| uniderection ] ^*

display firewall ipv6 session table [ verbose ] session-id session-id

Parameters

Parameter	Description	Value
verbose	Displays IPv6 session table details.	-
session-id session-id	Displays the IPv6 session entries of the specified session ID.	-
all-systems	Display the IPv6 session entries of all systems.	-
vsys vsys	Display the IPv6 session entries of the specified virtual system.	-
source-zone source-zone	Displays the IPv6 session entries with the specified source security zone.	-
destination-zone destination-zone	Displays the IPv6 session entries with the specified destination security zone.	-
default-policy	Displays the IPv6 session entries with the default policy.	-
policy policy-name	Displays the IPv6 session entries with the specified security policy name.	-
source	Displays the IPv6 session entries with the specified source IP address.	-
destination	Displays the IPv6 session entries with the specified destination IP address.	-
inside	Specifies a private IPv6 address. In the NAT scenario, inside refers to the pre-NAT IPv6 address. In non-NAT scenarios, inside refers to the actual IPv6 address. In non-NAT scenarios, either inside or global can be specified. These two modes correspond to the same session.	-
global	Specifies a public IP address. In the NAT scenario, global refers to the post-NAT IPv6 address. In non-NAT scenarios, global refers to the actual IPv6 address. In non-NAT scenarios, either inside or global can be specified. These two modes correspond to the same session.	-
start-ipv6-address [ to end-ipv6-address ]	Specifies the IPv6 address. If to end-ipv6-address is configured, an address segment is specified. If to end-ipv6-address is not configured, an IPv6 address is specified.	-
application application-type	Displays the IPv6 session entries of the specified application.	-
protocol { id \| tcp \| udp \| icmp \| ah \| esp \| gre }	Displays the session entries of the specified protocol. If id is selected, the protocol number is specified. If tcp is selected, TCP session entries are displayed. If udp is selected, UDP session entries are displayed. If sctp is selected, SCTP session entries are displayed. If icmp is selected, ICMP session entries are displayed. If ah is selected, AH session entries are displayed. If esp is selected, ESP session entries are displayed. If gre is selected, GRE session entries are displayed.	The value of id is an integer ranging from 0 to 255.
service service-type	Displays the IPv6 session entries of the specified service.	-
source-port	Displays the IPv6 session entries with the specified source port.	-
destination-port	Displays the IPv6 session entries with the specified destination port.	-
inside inside-port-number	Specifies the inside port. In the NAT scenario, inside refers to the pre-NAT port. In non-NAT scenarios, inside refers to the actual port number. In non-NAT scenarios, either inside or global can be specified. These two modes correspond to the same session.	The value is an integer ranging from 1 to 65535.
global global-port-number	Specifies the global port. In the NAT scenario, global refers to the post-NAT port. In non-NAT scenarios, global refers to the actual port number. In non-NAT scenarios, either inside or global can be specified. These two modes correspond to the same session.	The value is an integer ranging from 1 to 65535.
interface { interface-name \| interface-type interface-number }	Specifies the outbound interface.	-
vlan vlan-id	Displays all vlan IPv6 session entries.	-
long-link	Displays all persistent connection IPv6 session entries.	-
created-in time	Displays the session information created in a specified recent period (in minutes). If time is set to 5, the session information created in the latest 5 minutes is to be displayed. Only the information about alive sessions can be displayed. If a session is created and then deleted or aged soon, the information about this session is not displayed.	The value is an integer ranging from 1 to 65535.
user user-name	Displays the IPv6 session entries of the specified user.	The value must be the name of an existing user.
local	Displays the IPv6 session table on the local device. The command without local displays all IPv6 session tables.	-
remote	Displays the backup IPv6 session table on the remote device. The command without remote displays all IPv6 session tables.	-
slot slot-id	Displays the session entries with the specified slot ID.	-
cpu cpu-id	Displays the session entries with the specified CPU ID.	-
reverse-packet	Indicates the number of reverse packets. NOTE: Reverse refers to the direction opposite to the direction from the source security zone to the destination security zone in the session entry.	-
forward-packet	Indicates the number of forward packets. NOTE: Forward refers to the direction same as the direction from the source security zone to the destination security zone in the session entry.	-
total-packet	Indicates the total number of packets.	-
over	Displays sessions of which the number of packets is greater than or equal to a specific value.	-
below	Displays sessions of which the number of packets is smaller than or equal to a specific value.	-
equal	Displays sessions of which the number of packets equals a specific value.	-
packet-value	Specified the comparison value of the number of packets.	The value is an integer ranging from 1 to 4294967295.
uniderection	Displays unidirectional session information. There are two types of unidirectional session entries, namely, TCP session entries for which three-way handshake is not complete and non-TCP session entries in which the number of reverse packets is 0.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After specifying verbose, you can specify {reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value to view detailed information about sessions of which the number of packets is greater than or equal to, smaller than or equal to, or equal to a specific value.

Example

# Display the verbose information of the IPv6 session table.

<sysname> display firewall ipv6 session table verbose
 Current Total IPv6 Sessions : 2                                           
 ttp(0x54)  VPN: public --> public  ID: a28f5db1d1d405d559c0a15020            
 Zone: trust --> untrust Slot: 2 CPU: 0 TTL: 00:03:08  Left: 00:03:06*         
 Interface: GigabitEthernet0/0/1 NextHop: 4::DDB                              
 <--packets: 0 bytes: 0 --> packets: 1 bytes: 9,582                           
 3::56E.0 --> 4::DDB.0 PolicyName: default                                    
                                                                              
 unknown(0xaf)  VPN: public --> public  ID: a38f5db2169d8328559c0a11020       
 Zone: trust --> untrust Slot: 2 CPU: 0 TTL: 00:03:08  Left: 00:03:02*         
 Interface: GigabitEthernet0/0/1 NextHop: 4::8F5                              
 <--packets: 0 bytes: 0 --> packets: 1 bytes: 9,582                           
 3::97.0 --> 4::8F5.0 PolicyName: default

**Table 1** Description of the **display firewall ipv6 session table verbose** command output
Item	Description
Current Total IPv6 Sessions	Number of current IPv6 session entries.
ttp(0x54)	Protocol name.
VPN: public --> public	VPN instance name: Source --> Destination
ID	ID of current session entries.
Zone: trust --> untrust	Session security zone: Source zone --> Destination zone
Slot
CPU	CPU ID.
TTL	Total TTL of the session entry.
Left	Remaining TTL of the session entry. * indicates that the aging of the session entry is accelerated.
Interface	Outbound interface.
Next Hop	Next-hop IPv6 address of the packet.
<--packets: 0 bytes: 0	Reverse packets (including fragments) and bytes of the session.
--> packets: 1 bytes: 9,582	Forward packets (including fragments) and bytes of the session.
3::56E.0 --> 4::DDB.0	Source address/port and destination address/port of the session: Source IPv6 address and source port --> Destination IPv6 address and destination port If NAT66 is performed on the session, square brackets ([]) are used to identify the post-NAT address/port.
PolicyName	Name of the matched security policy. --- indicates that the packet corresponding to a session is in the policy pending state or the security policy check is not required. In policy pending state, the FW is performing application identification or URL category query on packets based on the application or URL category matching condition. However, the matched security policy cannot be determined. After application identification or URL category query is complete, the session is updated, this field displays the name of the matched security policy. Scenario where security policy check is not required: For example, if access management is enabled on an interface, packets destined for the device will skip security policy check. If packets match an authentication policy with the authentication action being Portal authentication, the user sends an HTTP/HTTPS request to the web server, and the first SYN packet is not controlled by the security policy.