Whether sessions generated for the traffic blocked by policies can be queried on a firewall

34

No session will be generated for the traffic blocked by policies on a firewall, and therefore cannot be queried.

Other related questions:
Session table query on a firewall
You can query the session table on the web UI and CLI. For the USG6000 series, on the web UI, choose Monitor > Session Table to query the session table and NAT detailed information. For the USG2000&5000 series, on the web UI, choose Firewall > Monitor > Session Table to query the session table. For the USG2000&5000 and USG6000 series, you can run the display firewall session table command to view the session table, or run the display firewall session table nat command to view the NAT session table.

Query of session information of a specific protocol
For the USG2000&5000 and USG6000 series, you can run the display firewall session table [ verbose ] protocol protocol-name command to view session information about a specific protocol. The protocol can be TCP, UDP, or ICMP.

Query of session entries with specified IP addresses
You can view session entries with specified source or destination IP addresses on the web UI or CLI. For the USG6000 series, on the web UI, choose Monitor > Session Table to view the session table. Then, click Advanced Search and enter the specified IP address in Source Address or Destination Address. For the USG2000&5000 series, on the web UI, choose Firewall > Monitor > Session Table to view the session table. Then, click Advanced Search, select Source or Destination from the IP Address drop-down list, and enter the specified IP address. For the USG2000&5000 and USG6000 series, you can run the display firewall session table source [ verbose ] { inside ip-address | global ip-address } or display firewall session table destination { inside ip-address | global ip-address command to view session information about the specified source or destination IP address.

Firewall session aging time
Generally, you can use the default aging time of the session table. To change the aging time of the session table for a specific protocol type, run the firewall session aging-time command. For the USG2000&5000 series, you can set the service aging time on the web UI. On the web UI, choose Firewall > Service > Service Aging Time. To view the aging time of the session entries of all traffic in the current system, you can run the display firewall session aging-time command.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top