π Tuesday, 30 September 2025
π 12:22 AM
diagnose sys session filter clear
diagnose sys session filter src
diagnose sys session filter dst
diagnose sys session filter dport
diagnose sys session list
Heres how to read it:
Top line:
session info: proto=6 proto_state=01 duration=5429 expire=3577 timeout=3600
-
proto=6 is TCP (17 = UDP)
-
proto_state=01 means traffic was established
-
duration = how long the sessionβs been up (sec)
-
expire = how long until timeout if idle
-
timeout = idle timeout threshold
Traffic stats:
org=1647940/1404/1 reply=58520/1119/1
-
Origin (src β dst): bytes/packets/errors
-
Reply (dst β src): bytes/packets/errors
Nexthop/Gateway:
gwy=
Translation (NAT/VIP):
hook=pre dir=org act=dnat ip1βip2(ip3)
-
hook=pre β This is before forwarding (ingress into the firewall).
-
dir=org β The origin direction (client β server).
-
act=dnat β Destination NAT is being applied.
-
ip1 β Client IP and source port.
-
β ip2 β Destination VIP the client thinks itβs talking to.
-
(ip3) β Actual backend IP/port after DNAT.
hook=post dir=reply act=snat ip1βip2(ip3)
-
hook=post β After forwarding (egress).
-
dir=reply β Reply direction (server β client).
-
act=snat β Source NAT is applied.
-
ip1 β Real backend server sending the reply.
-
β ip2 β Back to the client.
-
(ip3) β Source is rewritten to the VIP so the client thinks itβs still talking to .99.
Policy it has used:
policy_id=26 β firewall rule that allowed it