show counter global | match proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

show counter global | match proxy

Cyber Elite
Cyber Elite

Need to verify if below output looks good from ssl decrypt 

 

show counter global | match proxy
ctd_fwd_session_proxy_deny 384306 0 info ctd pktproc Content forward: action init denied for decrypted sessions
ctd_switch_proxy 4 0 info ctd pktproc switch to proxy
proxy_process 217482856 146 info proxy pktproc Number of flows go through proxy
proxy_invalid_flow 64719540 21 info proxy resource Number of invalid proxy flows
proxy_unhandled_icmp 2300 0 info proxy resource Number of unhandled ICMP error messages in proxy
proxy_ssl_no_resource 22535 0 info proxy pktproc Number of ssl sessions can't be decrypted because of out of resources
proxy_ssl_unsupported 86805 0 info proxy pktproc Number of ssl sessions using unsupported ssl protocol
proxy_ssl_invalid_cert 605 0 info proxy pktproc Number of ssl sessions using unvalid certificate
proxy_ssl_unsupported_cipher 529 0 info proxy pktproc Number of ssl sessions using unsupported cipher
proxy_ssl_untrusted_cert 197131 0 info proxy pktproc Number of ssl sessions using certificate from untrusted CA
proxy_ssl_expired_cert 88545 0 info proxy pktproc Number of ssl sessions using expired certificate
proxy_ssl_client_cert 228 0 info proxy pktproc Number of ssl sessions using client certificate
proxy_exclude_by_cache 360829 1 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion cache
proxy_exclude_by_sni 472284 2 info proxy pktproc Number of ssl sessions bypassed proxy because of client hello sni
proxy_client_hello_failed 72646 0 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed
proxy_exceed_queue_limit 962 0 warn proxy resource proxy failed caused by limitation of session queued packets size
proxy_url_request_timeout 3129 0 warn proxy pktproc The url category request for ssl proxy is timedout
proxy_url_request_pkt_drop 391307 0 drop proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy
proxy_url_category_unknown 7606 0 info proxy pktproc Number of sessions checked by proxy with unknown url category
proxy_url_blocked 954025 0 info proxy pktproc Number of sessions proxied because of url block
proxy_offload_check_err 91 0 drop proxy pktproc The number offload proxy setup check failed because of not SYN or no certificate
proxy_wait_pkt_drop 18437 0 drop proxy pktproc The number of packets get dropped because of waiting status in ssl proxy
proxy_decrypt_cert_validation_overall 17993 0 info proxy pktproc Overrall number of decrypted packet cert validation failure
proxy_decrypt_unsupport_param_overall 89268 0 info proxy pktproc Overrall number of decrypted packet unsupport param failure
proxy_decrypt_error_overall 7986168 0 info proxy pktproc Overrall number of decrypt error(not including cert validation and unsupport param)
proxy_timer_del_session_added 23 0 info proxy pktproc Number of timers added for deleting proxy host connection
proxy_timer_del_sessions 23 0 info proxy pktproc Number of proxy host connections deleted due to timer
proxy_proxy_host_not_connected 39 0 warn proxy pktproc Number of packets proxy_host tried to receive or transmit when not connected
url_session_not_in_ssl_wait 140454 0 error url system The session is not waiting for url in ssl proxy

MP

Help the community: Like helpful comments and mark solutions.
3 REPLIES 3

Cyber Elite
Cyber Elite

I see this 

 


proxy_url_request_pkt_drop 391323 0 drop proxy pktpr

 


proxy_offload_check_err 91 0 drop proxy pktpr
proxy_wait_pkt_drop 18441 0 drop proxy pktpr

 

but drop number is zero is this ok?

MP

Help the community: Like helpful comments and mark solutions.

each counter has 2 numbers

the one on the left is the total number since the last reset, the one on the right is the 'rate' (amount of events in the last x time)

 

if you add 'delta' to your arguments you'll get a better feel for the amount of events in a timeframe you decide

 

ie. > show counter global filter delta yes  (done twice as the first one sets the start time)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for answering the question.

IF i want to know any traffic dropping due to ssl decryption then i should look for drop counters right?

 

how counter global filter delta yes | match proxy
proxy_process 77 67 info proxy pktproc Number of flows go through proxy
proxy_invalid_flow 54 47 info proxy resource Number of invalid proxy flows
proxy_exclude_by_sni 2 1 info proxy pktproc Number of ssl sessions bypassed proxy because of client hello sni
url_session_not_in_ssl_wait 2 1 error url system The session is not waiting for url in ssl proxy????

 

what does above error indicate?

MP

Help the community: Like helpful comments and mark solutions.
  • 3410 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!