I did a ping from my workstation to 8.8.8.8.
diag sys session filter src 192.168.1.240
diag sys session filter dst 8.8.8.8
diag sys session list
session info: proto=1 proto_state=00 duration=11 expire=49 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00 route_preserve
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=8->6/6->8 gwy=50.4.192.1/192.168.1.240
hook=post dir=org act=snat 192.168.1.240:1->8.8.8.8:8(50.4.203.235:60417)
hook=pre dir=reply act=dnat 8.8.8.8:60417->50.4.203.235:0(192.168.1.240:1)
src_mac=1c:6f:65:xx:xx:xx
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=00411ceb tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id= 80000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000c00
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=64/66, ipid=66/64, vlan=0x0000/0x0000
vlifid=66/64, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=1/1
total session 1
show firewall policy 3
config firewall policy
edit 3
set name “DMZ-House-2”
set uuid fd0a4304-bdb5-51e6-bb3d-518a1c2fd94f
set srcintf “dmz”
set dstintf “virtual-wan-link”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set utm-status enable
set inspection-mode proxy
set profile-protocol-options “custom-default”
set ssl-ssh-profile “certificate-inspection”
set av-profile “default”
set logtraffic all
set comments “DMZ changed to LAN for House-2”
set nat enable
next
end
I did a ping from one of the VMs to 8.8.8.8
diag sys session clear
diag sys session filter src 172.16.1.200
diag sys session filter dst 8.8.8.8
diag sys session list
session info: proto=1 proto_state=00 duration=47 expire=16 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00 route_preserve
statistic(bytes/packets/allow_err): org=252/3/1 reply=168/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=10->6/6->10 gwy=50.4.192.1/172.16.1.200
hook=post dir=org act=snat 172.16.1.200:1->8.8.8.8:8(50.4.203.235:60983)
hook=pre dir=reply act=dnat 8.8.8.8:60983->50.4.203.235:0(172.16.1.200:1)
src_mac=00:0c:29:xx:xx:xx
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0
serial=00005cac tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id= 80000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000c00
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=64/68, ipid=68/64, vlan=0x0000/0x0000
vlifid=68/64, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=3/2
total session 1
show firewall policy 30
config firewall policy
edit 30
set name “VIRL_1_TO_5_TO_INTERNET”
set uuid 76c7ea24-f2d2-51e6-d5bf-d918557eec2e
set srcintf “internal1” “internal2” “internal3” “internal4” “internal5”
set dstintf “virtual-wan-link”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set logtraffic all
set nat enable
next
end
This is DNS traffic from one of my two DNS servers. Proto 17 is UDP and Proto-State 1 is reply seen. As you see tuples=3 is two way communication. You see hook traffic sending and receiving.
diag sys session filter src 172.16.1.210
diag sys session list
session info: proto=17 proto_state=01 duration=92 expire=87 timeout=0 flags=00000000 socktype=0 sockport=7900 av_idx
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=redir log dirty local may_dirty npu src-vis nlb route_preserve
statistic(bytes/packets/allow_err): org=96/1/1 reply=255/1/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=10->6/6->10 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 172.16.1.210:56846->204.74.108.1:53(50.4.203.235:56846)
hook=pre dir=reply act=dnat 204.74.108.1:53->50.4.203.235:56846(172.16.1.210:56846)
hook=post dir=reply act=noop 204.74.108.1:53->172.16.1.210:56846(0.0.0.0:0)
src_mac=00:0c:29:xx:xx:xx
misc=0 policy_id=61 auth_info=0 chk_client_info=0 vd=0
serial=0000d72b tos=40/40 app_list=0 app=0 url_cat=0
rpdb_link_id= 80000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av mac-host-check
xx:xx
show firewall policy 61
config firewall policy
edit 61
set name “MyDNS172_To_Internet”
set uuid 83caefea-a996-51ea-0b56-bd05b1e9c402
set srcintf “internal2”
set dstintf “virtual-wan-link”
set srcaddr “PriDNS172” “SecDNS172”
set dstaddr “all”
set action accept
set schedule “always”
set service “DNS”
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile “certificate-inspection”
set av-profile “default”
set dnsfilter-profile “default”
set nat enable
next
end