Viewing in the WebGUI¶
A listing of the firewall state table contents is available in the WebGUI by navigating to Diagnostics > States. Figure Example States shows a sample of the output displayed by the GUI.
The firewall displays several columns on this page, each with important information:
- Interface
The interface to which the state is bound. This is the interface through which the packet initially entered or exited the firewall.
- Protocol
The protocol of the traffic that created the state, such as TCP, UDP, ICMP, or ESP.
- Source and Destination
This column is in two parts, first the source, then an arrow indicating direction, and then the destination. The source and destination may also have a port number listed if the protocol in question uses ports. In cases where NAT is applied (outbound NAT, port forwards, or 1:1 NAT), the address is shown both before and after NAT has been applied.
For NAT such as outbound NAT which translates the source, the source section displays the translated source, and the original source inside parenthesis. For NAT types that translate the destination, such as port forwards, the destination section shows the translated destination and the original destination in parenthesis.
- State
The current status of the connection being tracked by this state entry. The specific values vary depending on the protocol. For example, TCP has many more state types than UDP or other connectionless protocols. The entry in this column contains two parts separated by a colon. The first part is the state for the source side, and the second part is the state for the destination side. See Interpreting States for more detail.
- Packets
The number of packets observed matching the state from the source and destination sides.
- Bytes
The total size of packets observed matching the state from the source and destination sides.
Individual states may be removed by clicking at the end of their row.

Example States¶
See also
Filtering States¶
The State Filter panel enables quick searching of the state table contents to find items of interest.
To search for a state:
Select a specific Interface in the State Filter panel or leave it on all to match all interfaces.
Enter a Filter Expression which is a simple string of text to match exactly in the entry. Regular expressions are not supported in this field.
Click
Filter to locate the results.
All columns are searched for matching text, and only entries matching the text are displayed.
Tip
Searching for an IP address or subnet will also present a
Kill States button which, when clicked, will remove all states
originating from or going to the entered IP address or subnet.
Interpreting States¶
The State column for each state table entry provides information necessary to determine exactly what is happening with the connection. Each state entry contains two values with a colon between them, marking which value represents the state of the source (left), and which represents the destination (right).
A few of the most common state types are:
- SYN_SENT
For TCP connections, this indicates that the side showing this state sent a TCP SYN packet attempting to start a connection handshake.
- CLOSED
For TCP connections, the side with this status considers the connection closed, or no traffic has been received.
- ESTABLISHED
A TCP connection is considered fully established by this side.
- TIME_WAIT/FIN_WAIT
A TCP connection is in the process of closing and finishing up.
- NO_TRAFFIC
No packets have been received that match the state from this side.
- SINGLE
A single packet has been observed on this state from this side.
- MULTIPLE
Multiple packets have been observed on this state from this side.
Common pairings frequently found in the state table include:
- ESTABLISHED:ESTABLISHED
A fully established two-way TCP connection.
- SYN_SENT:CLOSED
The side showing SYN_SENT has sent a TCP SYN packet but no response has been received from the far side. Often this is due to the packet not reaching its destination, or being blocked along the way.
- SINGLE:NO_TRAFFIC
Similar to the above, but for UDP and other connectionless protocols. No response has been received from the destination side.
- SINGLE:MULTIPLE
For UDP and other connectionless protocols, commonly observed with DNS where the client sends one packet but receives a large response in multiple packets.
- MULTIPLE:MULTIPLE
For UDP and other connectionless protocols, there are multiple packets in both directions, which is normal for a fully operational UDP connection.
- 0:0
Indicates that there is no state level data. Typically only found on ICMP states, since ICMP does not have state levels like other protocols.