How to Filter Active Sessions from the CLI
Resolution
Details
Using the command: show session all filter <tab>, all the sessions on the firewall can be filtered based on a specific application, port, user, ip-address, security rule, nat policy, etc. Hit <tab> to view all the available filters that can be applied.
For example, the following are a list of 'active' FTP connections:
admin@lab(active)> show session all filter application ftp state active
-------------------------------------------------------------------------------
ID application state type flag src[sport]/zone/proto (translated IP[port])
dst[dport]/zone (translated IP[port]
-------------------------------------------------------------------------------
14891 ftp ACTIVE FLOW 10.16.3.232[50345]/corp-trust/6 (10.16.3.232[50345])
72.240.47.70[21]/corp-untrust (72.240.47.70[21])
admin@lab(active)> show session all filter application ftp-data state active
-------------------------------------------------------------------------------
ID application state type flag src[sport]/zone/proto (translated IP[port])
dst[dport]/zone (translated IP[port]
-------------------------------------------------------------------------------
14122 ftp-data ACTIVE FLOW 72.240.47.70[20]/corp-untrust/6 (72.240.47.70[20])
10.16.3.232[50361]/corp-trust (10.16.3.232[50361])
> show session all filter application ldap destination-port 389
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
168692 ldap ACTIVE FLOW NS 192.168.85.85[60163]/trust-L3/17 (10.66.22.85[26915])
vsys1 10.66.22.245[389]/dmz-L3 (10.66.22.245[389])
In order to view the session details, choose the session ID and run the following:
> show session id 168692
Session 168692
c2s flow:
source: 192.168.85.85 [trust-L3]
dst: 10.66.22.245
proto: 17
sport: 60163 dport: 389
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.66.22.245 [dmz-L3]
dst: 10.66.22.85
proto: 17
sport: 389 dport: 26915
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Oct 2 12:07:30 2013
timeout : 1800 sec
time to live : 949 sec
total byte count(c2s) : 307
total byte count(s2c) : 237
layer7 packet count(c2s) : 1
layer7 packet count(s2c) : 1
vsys : vsys1
application : ldap
rule : trust-2-dmz
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : nat-trust-2-dmz(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/5
session QoS rule : N/A (class 4)
owner: panagent