GUI Showing Zero Byte Sessions in the Session Table

Some sessions in the WebUI as well as CLI show zero bytes.

Viewing session details via CLI reveals the following:

Session 342567



c2s flow:

source: 0.0.0.0 [boe-trust]

dst: 74.125.228.70

proto: 6

sport: 0 dport: 6081

state: ACTIVE type: PRED

src user: unknown

dst user: unknown





s2c flow:

source: 74.125.228.70 [boe-untrust]

dst: 0.0.0.0

proto: 6

sport: 6081 dport: 0

state: OPENING type: PRED

src user: unknown

dst user: unknown





start time : Wed Sep 19 12:02:15 2012

timeout : 60 sec

time to live : 10 sec

total byte count(c2s) : 0

total byte count(s2c) : 0

layer7 packet count(c2s) : 0

layer7 packet count(s2c) : 0

vsys : vsys5

application : undecided

rule :

application db : 0

session to be logged at end : False

session in session ager : True

session synced from HA peer : False

address/port translation : source + destination

nat-rule : global-nat(vsys5)

prediction triggered by : server

prediction matched once : False

Resolution

The sessions listed above from the CLI output are "Predict" sessions. It is normal expected behavior for predict sessions to show zero bytes.

A predict session is a session that was opened for expected traffic to eventually hit the firewall using the 6-tuple listed in the predict session.

Once traffic matches that predict session, the predict session turns into an active flow which is a "real" session. Until then, zero bytes is normal and expected.