Howto read session table
redir, may_dirty
When the session is going through the proxy, it will be marked as redir.
AV scan, content archive and something else will mark the session as redir. IPS won't do that.
The sequence number will be changed if it is proxied.
Ex: Content archive session
root) # d sys session li
session info: proto=6 proto_state=11 expire=3587 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=4 use=3
bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 ha_id=0 hakey=0
tunnel=/
state=redir local may_dirty ndr br npu npr
statistic(bytes/packets/err): org=686/12/0 reply=596/8/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=25->26/26->25 gwy=8.8.103.104/8.8.103.108
hook=pre dir=org act=noop 8.8.103.108:54438->8.8.103.104:21(0.0.0.0:0)
hook=post dir=reply act=noop 8.8.103.104:21->8.8.103.108:54438(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=20004 policy_id=1 auth_info=0 ids=0x3 vd=4 serial=00001db8 tos=ff/ff app=0
total session 1
Pure IPS session:
# d sys session li
session info: proto=6 proto_state=01 expire=3598 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
bandwidth=0/sec guaranteed_bandwidth=0/sec traffic=0/sec prio=0 ha_id=0 hakey=0
tunnel=/
state=ext may_dirty ndr br npu npr
statistic(bytes/packets/err): org=686/12/0 reply=596/8/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=25->26/26->25 gwy=8.8.103.104/8.8.103.108
hook=pre dir=org act=noop 8.8.103.108:41329->8.8.103.104:21(0.0.0.0:0)
hook=post dir=reply act=noop 8.8.103.104:21->8.8.103.108:41329(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=20004 policy_id=1 auth_info=0 ids=0x2 vd=4 serial=00001dc2 tos=ff/ff app=0
total session 1
may_dirty and dirty.
Most session which go through the firewall will be marked as may_dirty. This flag means the session is able to be marked as dirty when asymmetric route switch over.
ex: chage the gw of your default route will cause dirty flag show up.
before changing the gw:
FG3K9B3E10700005 # d sys session list
session info: proto=6 proto_state=01 duration=7 expire=3592 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=535
policy_dir=0 tunnel=/
state=may_dirty npu npr rem
statistic(bytes/packets/allow_err): org=164/3/1 reply=132/2/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=17->18/18->17 gwy=94.1.1.12/93.1.1.11
hook=pre dir=org act=noop 93.1.1.11:51895->94.1.1.12:22(0.0.0.0:0)
hook=post dir=reply act=noop 94.1.1.12:22->93.1.1.11:51895(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=000011e6 tos=ff/ff app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=93.1.1.11, bps=0
total session 1
=========================
FG3K9B3E10700005 # d sys session list
session info: proto=6 proto_state=01 duration=1056 expire=3562 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=535
policy_dir=0 tunnel=/
state=dirty may_dirty npu npr rem
statistic(bytes/packets/allow_err): org=164/3/1 reply=132/2/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=17->0/18->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 93.1.1.11:51895->94.1.1.12:22(0.0.0.0:0)
hook=post dir=reply act=noop 94.1.1.12:22->93.1.1.11:51895(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=000011e6 tos=ff/ff app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=93.1.1.11, bps=0
total session 1
Tuesday, July 22, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment