How to Filter Active Sessions from the CLI - Knowledge Base - Palo Alto Networks

How to Filter Active Sessions from the CLI

56822

Created On 09/25/18 17:27 PM - Last Modified 01/30/25 19:11 PM

PAN-OS

Next-Generation Firewall

Procedure

Details

Using the command: show session all filter <tab>, all the sessions on the firewall can be filtered based on a specific application, port, user, ip-address, security rule, nat policy, etc. Hit <tab> to view all the available filters that can be applied.

For example, the following are a list of 'active' FTP connections:

admin@lab(active)> show session all filter application ftp state active

-------------------------------------------------------------------------------

ID application state type flag src[sport]/zone/proto (translated IP[port])

dst[dport]/zone (translated IP[port]

-------------------------------------------------------------------------------

14891 ftp ACTIVE FLOW 10.16.3.232[50345]/corp-trust/6 (10.16.3.232[50345])

72.240.47.70[21]/corp-untrust (72.240.47.70[21])

admin@lab(active)> show session all filter application ftp-data state active

-------------------------------------------------------------------------------

ID application state type flag src[sport]/zone/proto (translated IP[port])

dst[dport]/zone (translated IP[port]

-------------------------------------------------------------------------------

14122 ftp-data ACTIVE FLOW 72.240.47.70[20]/corp-untrust/6 (72.240.47.70[20])

10.16.3.232[50361]/corp-trust (10.16.3.232[50361])

> show session all filter application ldap destination-port 389

--------------------------------------------------------------------------------

ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

168692 ldap ACTIVE FLOW NS 192.168.85.85[60163]/trust-L3/17 (10.66.22.85[26915])

vsys1 10.66.22.245[389]/dmz-L3 (10.66.22.245[389])

In order to view the session details, choose the session ID and run the following:

> show session id 168692

Session 168692

c2s flow:

source: 192.168.85.85 [trust-L3]

dst: 10.66.22.245

proto: 17

sport: 60163 dport: 389

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

s2c flow:

source: 10.66.22.245 [dmz-L3]

dst: 10.66.22.85

proto: 17

sport: 389 dport: 26915

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

start time : Tue Oct 2 12:07:30 2013

timeout : 1800 sec

time to live : 949 sec

total byte count(c2s) : 307

total byte count(s2c) : 237

layer7 packet count(c2s) : 1

layer7 packet count(s2c) : 1

vsys : vsys1

application : ldap

rule : trust-2-dmz

session to be logged at end : True

session in session ager : True

session synced from HA peer : False

address/port translation : source + destination

nat-rule : nat-trust-2-dmz(vsys1)

layer7 processing : enabled

URL filtering enabled : True

URL category : any

session via syn-cookies : False

session terminated on host : False

session traverses tunnel : False

captive portal session : False

ingress interface : ethernet1/4

egress interface : ethernet1/5

session QoS rule : N/A (class 4)

owner: panagent

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)