display firewall session table (All views)

Function

The display firewall session table command displays the session table.

Format

display firewall session table [ verbose ] [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | uniderection ] ^*

display firewall session table verbose [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | uniderection | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] ^*

display firewall session table [ verbose ] all-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | { local | remote } | uniderection ] ^*

display firewall session table verbose all-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | { local | remote } | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value | uniderection ] ^*

display firewall session table [ verbose ] slb [ destination { vip start-vip-address [ to end-vip-address ] | rip start-rip-address [ to end-rip-address ] } | source start-source-address [ to end-source-address ] | destination-port { vport vport-number | rport rport-number } | source-port source-port-number | slot slot-id cpu cpu-id ] ^*

display firewall session table [ verbose ] session-id session-id

Parameters

Parameter	Description	Value
verbose	Displays session table details.	-
session-id session-id	Displays the session entries of the specified session ID.	The value must be the ID of an existing session.
all-systems	Display the session entries of all systems.	-
vsys vsys-name	Display the session entries of the specified virtual system.	The value must be the name of an existing virtual system.
source-zone source-zone	Displays the session entries with the specified source security zone.	-
destination-zone destination-zone	Displays the session entries with the specified destination security zone.	-
default-policy	Displays the session entries that match the default policy.	-
policy policy-name	Displays the session entries that match a specific policy.	The value must be the name of an existing policy.
source-cpe	Display the session entries with the specified source cpe.	-
destination-cpe	Display the session entries with the specified destination cpe.	-
start-ipv6-address [ to end-ipv6-address ]	Specifies the IPv6 address. If the parameter to end-ipv6-address is selected, it indicates that the start IPv6 address and the end IPv6 address are specified at the same time. If the parameter to end-ipv6-address is not selected, it indicates that only the start IPv6 address is specified.	-
user user-name	Displays the session entries of the specified user.	The value must be the name of an existing user.
source	Displays the session entries with the specified source IP address.	-
destination	Displays the session entries with the specified destination IP address.	-
inside	Specifies a private IP address.	The value is in dotted decimal notation. In NAT scenarios, inside refers to the pre-NAT private IP address or the private IP address of the NAT server. In non-NAT scenarios, inside refers to the actual IP address.
global	Specifies a public IP address.	The value is in dotted decimal notation. In NAT scenarios, global refers to the post-NAT public IP address or the public IP address of the NAT server. In non-NAT scenarios, global refers to the actual IP address.
start-ip-address [ to end-ip-address ]	Specifies the IP address. If the parameter to end-ip-address is selected, it indicates that the start IP address and the end IP address are specified at the same time. If the parameter to end-ip-address is not selected, it indicates that only the start IP address is specified.	-
slot slot-id	Displays the session entries with the specified slot ID.	-
cpu cpu-id	Displays the session entries with the specified CPU ID.	-
service service-name	Displays the session entries of the specified service.	The specified service can be DNS, FTP, H323, HTTP, HWCC, ILS, MGCP, MMS, MSN, PPTP, QQ, RAS, RPC, RTSP, SIP, SMTP, SQLNET, STUN, Telnet, or TFTP, etc.
protocol { id \| tcp \| udp \| sctp \| icmp \| ah \| esp \| gre }	Displays the session entries of the specified protocol. If id is selected, the protocol number is specified. If tcp is selected, TCP session entries are displayed. If udp is selected, UDP session entries are displayed. If sctp is selected, SCTP session entries are displayed. If icmp is selected, ICMP session entries are displayed. If ah is selected, AH session entries are displayed. If esp is selected, ESP session entries are displayed. If gre is selected, GRE session entries are displayed.	The value of id is an integer ranging from 0 to 255.
application application-name	Displays the session entries of the specified application.	-
vlan vlan-id	Displays all vlan session entries.	The value must be the ID of an existing VLAN.
created-in time	Displays the session information created in a specified recent period (in minutes). If time is set to 5, the session information created in the latest 5 minutes is to be displayed. Only the information about alive sessions can be displayed. If a session is created and then deleted or aged soon, the information about this session is not displayed.	The value is an integer ranging from 1 to 65535.
source-port	Displays the session entries with the specified source port.	The value is an integer ranging from 1 to 65535.
destination-port	Displays the session entries with the specified destination port.	The value is an integer ranging from 1 to 65535.
inside port-number	Specifies the inside port.	The value is an integer ranging from 1 to 65535.
global port-number	Specifies the global port.	The value is an integer ranging from 1 to 65535.
interface { interface-name \| interface-type interface-number }	Specifies the outbound interface.	-
long-link	Displays all persistent connection session entries.	-
user user-name	Displays the session entries of the specified user.	The value must be the name of an existing user.
local	Displays the session table on the local device. The command without local displays all session tables.	-
remote	Displays the backup session table on the remote device. The command without remote displays all session tables.	-
slb	Displays the session entries of SLB.	-
destination	Displays the session entries of SLB with the specified destination IP address.	-
source	Displays the session entries of SLB with the specified source IP address.	-
vip start-ip-address [ to end-ip-address ]	Displays the session entries of SLB with the specified virtual IP address. If the parameter to end-ip-address is selected, it indicates that the start IP address and the end IP address are specified at the same time. If the parameter to end-ip-address is not selected, it indicates that only the start IP address is specified.	-
rip start-ip-address [ to end-ip-address ]	Displays the session entries of SLB with the specified real IP address. If the parameter to end-ip-address is selected, it indicates that the start IP address and the end IP address are specified at the same time. If the parameter to end-ip-address is not selected, it indicates that only the start IP address is specified.	-
destination-port { vport port-number \| rport port-number }	Displays the session entries of SLB with the specified destination port. If vport port-number is selected, it indicates that the virtual port is specified. If rport port-number is selected, it indicates that the real port is specified.	-
source-port { vport port-number \| rport port-number }	Displays the session entries of SLB with the specified source port. If vport port-number is selected, it indicates that the virtual port is specified. If rport port-number is selected, it indicates that the real port is specified.	-
uniderection	Displays unidirectional session information. There are two types of unidirectional session entries, namely, TCP session entries for which three-way handshake is not complete and non-TCP session entries in which the number of reverse packets is 0.	-
reverse-packet	Indicates the number of reverse packets. NOTE: Reverse refers to the direction opposite to the direction from the source security zone to the destination security zone in the session entry.	-
forward-packet	Indicates the number of forward packets. NOTE: Forward refers to the direction same as the direction from the source security zone to the destination security zone in the session entry.	-
total-packet	Indicates the total number of packets. All models except USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.	-
over	Displays sessions of which the number of packets is greater than or equal to a specific value.	-
below	Displays sessions of which the number of packets is smaller than or equal to a specific value.	-
equal	Displays sessions of which the number of packets equals a specific value.	-
packet-value	Specified the comparison value of the number of packets.	The value is an integer ranging from 1 to 4294967295.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

In the dual system hot backup environment, you can run the display firewall session table command with local or remote to display the session table on the local or remote device.

After specifying verbose, you can specify {reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value to view detailed information about sessions of which the number of packets is greater than or equal to, smaller than or equal to, or equal to a specific value.

To view session entry information of a specified virtual system, you must set the vsys parameter in the root system. You cannot specify this parameter in the virtual system.

Example

# Display brief session table information.

<sysname> display firewall session table
 Current Total Sessions : 3
  icmp VPN:public --> public Remote 192.168.1.1:43985[1.1.1.1:2107]-->192.168.2.2:2048
  telnet  VPN:public --> public 192.168.3.1:2855-->192.168.3.2:23
  http  VPN:public --> public 192.168.3.8:2559-->192.168.3.200:80

**Table 1** Description of the **display firewall session table** command output
Item	Description
Current Total Sessions	Number of current session entries. If original connections are normal but new connections fail to be established, check whether the current number of session entries has reached the upper limit. If yes, shorten the aging time of session entries to resolve this problem.
icmp	Protocol name. In the example, the protocol is ICMP, Telnet and HTTP.
VPN:public --> public	VPN instance name: Source --> Destination
Remote	In a hot standby scenario, Remote indicates that the current session is a backup session, which is backed up from the peer device.
192.168.1.1:43985[1.1.1.1:2107]-->192.168.2.2:2048	Session table information. If the session entry is +->, ASPF is enabled. If NAT is performed on the session, square brackets ([]) are used to identify the post-NAT IP address.If the session is blocked by the traffic policy configured with application identification function and set the maximum number of connections or the maximum rate of connections, the flag (B) is automatically displayed after the session is blocked.

# Display session table details.

<sysname> display firewall session table verbose
 Current Total Sessions : 1                                                                                   
 udp  VPN: public --> public  ID: b581fa1ceac4a0a1ea359236b23022                                              
 Zone: trust --> untrust Slot: 2 CPU: 2  TTL: 00:02:00  Left: 00:01:44*                                        
 Recv Interface: 40GigabitEthernet 0/0/1  Rev Slot: 2 CPU: 2                                                                
 Interface: 40GE1/1/0  NextHop: 172.16.2.1                                                                     
 <--packets: 0 bytes: 0 ==> packets: 3782387 bytes: 211,813,672                                               
 172.16.1.1:1025 --> 172.16.2.1:1026 PolicyName: default

# Display detailed information about the session table based on session IDs.

<sysname> display firewall session table verbose session-id a58f3fe91023015aa15344e75b
  Current Total Sessions : 1                                                     
  icmp  VPN:public --> public  ID: a58f3fe91023015aa15344e75b                   
  Zone: local--> trust  TTL: 00:00:20  Left: 00:00:09*
  Creation Time: 2014/04/09 06:23:23  Duration: 00:00:12
  Interface: GigabitEthernet0/0/0  NextHop: 10.1.2.2  MAC: 4437-e697-78fe
  <--packets:3 bytes:252   -->packets:3 bytes:252                               
  10.1.1.1:43982[1.1.1.1:2107]-->10.1.2.2:2048

# Display unidirectional session table details.

<sysname> display firewall session table verbose uniderection
 Current Total Sessions : 1
 NetBios  VPN: public --> public  ID: b481f3407acc583c07578d384d
 Zone: trust --> trust  TTL: 00:02:00  Left: 00:00:26*
 Recv Interface: GigabitEthernet0/0/0 Rev Slot: 2 CPU: 3
 Interface: GigabitEthernet0/0/0  NextHop: 10.10.10.255  MAC: 0000-0000-0000
 <--packets: 0 bytes: 0 --> packets: 3 bytes: 234   /*The number of reverse packets during the session is 0. Therefore, the session is a unidirectional session.*/
 10.10.10.254:137 --> 10.10.10.255:137 PolicyName: ---

**Table 2** Description of the **display firewall session table verbose** command output
Item	Description
Current Total Sessions	Number of current session entries.
udp	Protocol name. In this example, the protocol is udp.
VPN:public --> public	VPN instance name: Source --> Destination
ID	ID of current session entries.
trust--> untrust	Session security zone: Source zone --> Destination zone
Slot: 2 CPU: 2	Slot ID and CPU ID of the obverse session. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.
TTL	Total TTL of the session entry.
Left	Remaining TTL of the session entry. * indicates that the aging of the session entry is accelerated.
Recv Interface	Inbound interface of forward packets.
Rev Slot: 2 CPU: 2	Slot ID and CPU ID of the reverse session.
User	User name.
Interface	Outbound interface forward packets.
NextHop	Next-hop IP address forward packets.
MAC	Next-hop MAC address forward packets.
<--packets: 0 bytes: 0	Reverse packets (including fragments) and bytes of the session. <== indicates that hardware-based fast forwarding is implemented for the reverse packets of the session, and <-- indicates that hardware-based fast forwarding is not implemented for the reverse packets of the session.
==> packets: 3782387 bytes: 211,813,672	Forward packets (including fragments) and bytes of the session. ==> indicates that hardware-based fast forwarding is implemented for the forward packets of the session, and --> indicates that hardware-based fast forwarding is not implemented for the forward packets of the session.
172.16.1.1:1025 --> 172.16.2.1:1026	Session table information. The IP address in "[]" is the post-NAT address.If the session is blocked by the traffic policy configured with application identification function and set the maximum number of connections or the maximum rate of connections, the flag (B) is automatically displayed after the session is blocked.
PolicyName	Name of the matched security policy. --- indicates that the packet corresponding to a session is in the policy pending state or the security policy check is not required. In policy pending state, the FW is performing application identification or URL category query on packets based on the application or URL category matching condition. However, the matched security policy cannot be determined. After application identification or URL category query is complete, the session is updated, this field displays the name of the matched security policy. Scenario where security policy check is not required: For example, if access management is enabled on an interface, packets destined for the device will skip security policy check. If packets match an authentication policy with the authentication action being Portal authentication, the user sends an HTTP/HTTPS request to the web server, and the first SYN packet is not controlled by the security policy.