Session parameters in the table and in text queries for the primary filter

The table below lists parameters displayed in the table of sessions and the corresponding names of the parameters that can be used in a primary filter text query. A description is also provided for each parameter.

Parameters in the table of sessions and in the primary filter

Session table parameter	Primary filter parameter	Parameter description
Session ID	`session-id`	Session ID that is unique across all Kaspersky NGFW devices.
Security rule name	`rule-name`	Name of the network traffic security rule. If you change the name of a security rule in the policy, it also changes in the Session Manager.
Date/time created	`create-datetime`	Date and time when the session was created.
Date/time closed	`close-datetime`	Date and time when the session was closed.
Duration (s)	`duration`	Session lifetime in seconds.
Last activity time	`last-active-time`	Date and time when the last packet was received as part of the current session.
Aging	`last-active-aging`	Time in seconds elapsed since the last received packet.
Session meta state	`meta-state`	Meta state of the session.
Session protocol state	`protocol-state`	Protocol state in the session.
Packets	`packets`	Total number of packets received as part of the session.
Packets c2s	`packets-c2s`	Number of packets received from the client.
Packets s2c	`packets-s2c`	Number of packets received from the server.
Bytes	`bytes`	Total number of bytes received as part of the session.
Bytes c2s	`bytes-c2s`	Number of bytes received from the client.
Bytes s2c	`bytes-s2c`	Number of bytes received from the server.
Source IP	`source-address`	Source IP address.
Destination IP	`destination-address`	Destination IP address.
Protocol	`transport-protocol`	Transport layer protocol.
URL(s)	–	Identified web address or array of web addresses.
Source port	`source-port`	Source port for TCP and UDP. For ICMP, the ICMP ID is displayed. For other protocols, (`N/A`) is displayed.
Destination port	`destination-port`	Destination port for TCP and UDP. For ICMP, the ICMP ID is displayed. For other protocols, (`N/A`) is displayed.
ICMP type	`icmp-type`	ICMP type. For protocols other than ICMP, the table cell is empty. For ICMP, the value is specified in the following format: {<ICMP type number of the ICMP request> / <ICMP type number of the ICMP response>}.
ICMP code	`icmp-code`	ICMP code. For protocols other than ICMP, the table cell is empty. For ICMP, the value is specified in the following format: {<ICMP code of the ICMP request> / <ICMP code of the ICMP response>}. When receiving an ICMP message with ICMP codes that the administrator cannot configure, the field is filled anyway.
TCP redirected	`tcp-redirected`	Parameter indicating whether the session was redirected to a transparent TCP proxy. Possible values: Yes No For UDP and ICMP sessions, always No.
Decrypted	`decrypted`	Parameter indicating whether the session has been decrypted. Possible values: Yes No
Decryption rule name	`decrypt-rule-name`	Name of the network traffic decryption rule. If you change the name of a decryption rule in the policy, it also changes in the Session Manager.
Application protocol	–	The application path used in the session.
Client application	`client-app`	Client application.
Application service category	–	Category of the service or a list of the categories of services that the client accessed.
Прикладные протоколы	`app-protocol`	Application layer protocols. For a complete list, see the List of possible protocol values for services article. If neither UDP nor TCP are used for transport, including the case of unrecognized UDP and TCP, – is displayed as the value.
Application service	`app-service`	Application service.
Action	`rule-action`	The action to perform with traffic. Possible values: block blocks traffic. The session gets the `DISCARD` status, and all packets of this session are dropped. allow allows traffic. inspect allows traffic and enables additional scans by security engines that are combined into security profile groups.
Full match	`full-match`	Parameter indicating whether the session matches any security rule. Possible values: yes (in this case, the Action is always the same as the Action from the security rule that matches the session) no (in this case, the Action is always inspect)
AV profile	`av-profile`	Security profile of the Anti-Virus security engine applied to the session. Possible values: no default Name of the Anti-Virus profile
IDPS profile	`ids-profile`	Security profile of the IDPS security engine applied to the session. Possible values: no default Name of the IDPS profile
Web Control profile	`wc-profile`	Security profile of the Web Control security engine applied to the session. Possible values: no default Name of the Web Control profile
DNS Security profile	`dnssec-profile`	Security profile of the DNS Security security engine applied to the session. Possible values: no default Name of the DNS Security profile
End reason	`end-reason`	The reason why the session ended. Only sessions that have a reason why they were ended, but for which the timeout until the session is removed from Kaspersky NGFW has not yet run out. In the Session manager section, the session ending reasons are displayed only for sessions in the DISCARD meta-state or the TCP_TIME_WAIT protocol state. Additional reasons are available in the Session Log. Possible values: rule-block means the session matched a security rule with the block action. dnssec engine means the DNS Security security engine has blocked a threat. wc engine means the Web Control security engine has blocked a threat. idps engine means the IDPS security engine has blocked a threat. av engine means the Anti-Virus security engine has blocked a threat. decryption-error means errors were detected during decryption, for example: unsupported parameters (such as SSL version, cipher suites, algorithms), failed validation, errors in the protocol. client-tcp-rst means the client has sent an RST. server-tcp-rst means the server has sent an RST. tcp-fin means hosts exchanged FINs. timeout means the session had been in a state other than time-wait and discard, and was removed when the timeout expired. This does not include sessions closed by FIN, RST, pf rule, or security engines. Displayed only in the session log. manual means a session that was in a state other than time-wait and discard was manually removed. Displayed only in the session log. If a security engine error occurs, the session is not ended automatically and the reason is not displayed in the table. Depending on the security engine that encountered the error, Kaspersky NGFW performs one of the following actions: sends a TCP RST and removes the session (SSL inspection), bypasses the packet (bypass) in proxy mode or drops the packet in direct control mode (DPI and IDPS), bypasses the packet (Web Control), sends a TCP RST and removes the session for DNS over TCP or drops the packet for DNS over UDP (DNS Security).
NAT rule	`KasperskyNGFWNatRule`	Name of the translation rule applied to traffic in the session (if applicable).
Translated source address	`translated-source-address`	IP address that replaced the original source IP address of the traffic in the session.
Translated source port	`translated-source-port`	Port that replaced the original source port of the traffic in the session.
Translated destination address	`translated-destination-address`	IP address that replaced the original destination IP address of the traffic in the session.
Translated destination port	`translated-destination-port`	Port that replaced the original destination port of the traffic in the session.
–	`address`	IP address that can be the source or destination IP address. Can be used as an additional parameter in the filter to match both the source and destination address.
–	`port`	Port that can be the source or destination port. Can be used as an additional parameter in the filter to match both the source and the destination.

Page top