< Home

display firewall server-map

Function

The display firewall server-map command displays information about the server map table.

Format

display firewall server-map [ vsys vsys-name | all-systems ] [ slot slot-id cpu cpu-id ] [ full-cone | aspf | stun-dest | stun-src | nat-server | nat64 | no-pat | slb | pcp | ds-lite | static | dynamic ] [ ip ip-address ]

Parameters

Parameter Description Value

vsys vsys-name

Displays server map table entries that are generated in the specific virtual system.

The value of vsys-name must be the name of an existing virtual system.

all-system

Displays server map table entries that are generated in the public system and all the virtual systems.

-

slot slot-id

Specifies the slot ID.

Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.

-

cpu cpu-id

Specifies the CPU ID.

Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.

-

full-cone

Displays server map table entries that are generated in 3-tuple NAT mode.

-

aspf

Displays server map table entries that are generated in aspf mode.

-

stun-dest

Displays server map table entries that the destination address in the Stun type protocol is not any.

-

stun-src

Displays server map table entries that the source address in the Stun type protocol is not any.

-

nat-server

Displays server map table entries that are generated in NAT server mode.

-

nat64

Displays server map table entries that are generated in NAT64 mode.

-

no-pat

Displays server map table entries that are generated in NO-PAT mode.

-

slb

Displays server map table entries that are generated in SLB mode.

-

pcp

Displays server map table entries that are generated in PCP mode.

-

ds-lite

Displays server map table entries that are generated in DS-Lite mode.

-

static

Displays server map table entries that are manually generated.

-

dynamic

Displays server map table entries that are dynamically generated.

-

ip ip-address

Displays server map table entries that include the specified IP address.

The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

In the case of the user-defined ASPF, information about server map table entries is generated only when actual traffic exists.

Example

# Displays the server map table.

<sysname> display firewall server-map
server-map 6 item(s)
 ------------------------------------------------------------------------------
Type: ASPF,  10.1.1.1:4511[1.1.1.1:2051] -> 10.1.1.2:5005,  Zone:---
Protocol: udp(Appro: rtsp-rtcp),  Left-Time:00:00:08
Vpn: public -> public

Type: STUN : any -> 10.1.2.1:4967, Zone: ---
protocol:udp(Appro: qq-derived),  Left-Time:00:04:47,  Pool: ---
Vpn: public --> public

Type: Nat Server,  any -> 10.1.2.1:21[1.1.1.2:21],  Zone:---,  Protocol: tcp
VPN: public --> public

Type: Nat Server Reverse,  1.1.1.2[10.1.2.1] -> any,  Zone:---,  Protocol: tcp
VPN: public --> public,  counter: 1 

Type: No-Pat Reverse, ANY -> 1.1.2.2[10.1.2.2],  Zone:---                                                                     
Protocol: ANY, TTL:---, Left-Time:---,  Pool: 3, Section: 0                                                                        
Vpn: public

Type: No-Pat,  10.1.2.2[1.1.2.2] -> ANY,  Zone:---                                                                            
Protocol: ANY, TTL:360, Left-Time:353,  Pool: 3, Section: 0                                                                        
Vpn: public

# The format of the server map entry is as following:

Type: TYPE,  SRCADDR -> DSTADDR, Zone: ZONE-NAME
Protocol: PROTOCOL(Appro: APPPRO),Pool: POOLID, Section: SECTIONID, Left-Time: HH:MM:SS
Vpn: SRCVPN -> DSTVPN
Table 1 Description of the display firewall server-map command output

Item

Description

TYPE
The following types of server map entries are available:

  • SA

    Entries generated after multi-channel protocol packets are identified by SA

  • ASPF

    Server map entries generated when ASPF is enabled to forward the traffic of multi-channel protocols

  • SA ASPF

    Entries generated after multi-channel protocol packets are identified by SA and forwarded by ASPF

  • STUN

    Forward server map entries generated when ASPF is enabled to forward the traffic of STUN protocols

  • STUN Reverse

    Reverse server map entries generated when ASPF is used to forward the traffic of STUN protocols

  • NAT Server

    Forward server map entries generated when NAT static mapping is enabled

  • NAT Server Reverse

    Reverse server map entries generated when NAT static mapping is enabled

  • No-Pat

    Forward server map entries generated when NAT No-PAT is enabled

  • No-Pat Reverse

    Reverse server map entries generated when NAT No-PAT is enabled

  • SLB

    Forward server map entries generated when server load balancing function is enabled

  • SLB Reverse

    Reverse server map entries generated when server load balancing function is enabled

  • FullCone Dst: Forward server mapping entries generated when traffic matches a NAT policy after full-cone 3-tuple NAT is configured
  • FullCone Src: Reverse server mapping entries generated when traffic matches a NAT policy after full-cone 3-tuple NAT is configured
  • NAT64 Static: Static server mapping entries generated when static NAT64 is configured

  • Unknown

    Unknown type entries

SRCADDR -> DSTADDR

Indicates the source and destination IP addresses of the entry, which are displayed as any if no specific sources or destinations are involved.

The IP address format is x.x.x.x:portx[y.y.y.y:porty]. portx and porty indicate the source and destination port numbers respectively. Content in square brackets indicates the IP address after NAT. If no NAT is implemented, the content in square brackets is not displayed. If the port is not required or translated, :port is not displayed.

NOTE:

For the entry of the SLB type, a destination IP address may be translated into multiple addresses. Therefore, obverse entries generated when the server load balancing function is enabled do not display the post-NAT addresses. And the format of destination IP address is x.x.x.x:port[---].

Zone: ZONE-NAME

Indicates the name of the security zone, which is specified for the global IP address of NAT policy server mapping, for the entry of the NAT policy server mapping.

For the entry of the NAT No-PAT type, the name of the security zone where the destination IP address is displayed.

For the server map entry of another type, the name of the security zone is displayed as ---.

Protocol: PROTOCOL(Appro: APPPRO)

Indicates the protocol adopted by the entry. PROTOCOL specifies the transport-layer protocol, and APPPRO specifies the application-layer protocol.

If no protocol is specified, any is displayed.

Pool: POOLID

Indicates the ID of the address pool adopted during NAT.

The ID is displayed in the forward entry of the NAT No-PAT type, and --- are displayed in the entries of other types.

Section: SECTIONID

Indicates the ID of the address Section adopted during NAT.

The ID is displayed in the forward entry of the NAT No-PAT type, and --- are displayed in the entries of other types.

Left-Time: HH:MM:SS

Indicates the remained aging time of the entry.

The entry that does not age is displayed as ---.

Vpn: SRCVPN -> DSTVPN

Indicates the names of the source and destination VPN instances for NAT.
Parent Topic: Server-map Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >