CLI session information
The session table output from the CLI (diag sys session list) is very verbose. Even on a system with a small amount of traffic, displaying the session table will generate a large amount of output. For this reason, filters are used to display only the session data of interest.
You can filter a column in the web-based manager by clicking the funnel icon on the column heading or from the CLI by creating a filter.
An entry is placed in the session table for each traffic session passing through a security policy. The following command will list the information for a session in the table:
diag sys session list
Sample Output:
FGT# diag sys session list
session info: proto=6 proto_state=05 expire=89 timeout=3600 flags=00000000 av_idx=0 use=3
bandwidth=204800/sec guaranteed_bandwidth=102400/sec traffic=332/sec prio=0 logtype=session ha_id=0 hakey=4450
tunnel=/
state=log shape may_dirty
statistic(bytes/packets/err): org=3408/38/0 reply=3888/31/0 tuples=2
orgin->sink: org pre->post, reply pre->post oif=3/5 gwy=192.168.11.254/10.0.5.100
hook=post dir=org act=snat 10.0.5.100:1251->192.168.11.254:22(192.168.11.105:1251)
hook=pre dir=reply act=dnat 192.168.11.254:22->192.168.11.105:1251(10.0.5.100:1251)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 domain_info=0 auth_info=0 ftgd_info=0 ids=0x0 vd=0 serial=00007c33 tos=ff/ff
Since output can be verbose, the filter option allows specific information to be displayed, for example:
diag sys session filter <option>
The <option> values available include the following:
clear | Clear session filter. |
dintf | Destination interface. |
dport | Destination port. |
dst | Destination IP address. |
duration | duration |
expire | expire |
negate | Inverse filter. |
nport | NAT'd source port |
nsrc | NAT'd source ip address |
policy | Policy ID. |
proto | Protocol number. |
proto-state | Protocol state. |
sintf | Source interface. |
sport | Source port. |
src | Source IP address. |
vd | Index of virtual domain. -1 matches all. |
Even though UDP is a sessionless protocol, the FortiGate unit still keeps track of the following two different states:
• UDP reply not seen with a value of 0
• UDP reply seen with a value of 1
The following illustrates FW session states from the session table:
Table 107:
State | Meaning |
log | Session is being logged. |
local | Session is originated from or destined for local stack. |
ext | Session is created by a firewall session helper. |
may_dirty | Session is created by a policy. For example, the session for ftp control channel will have this state but ftp data channel will not. This is also seen when NAT is enabled. |
ndr | Session will be checked by IPS signature. |
nds | Session will be checked by IPS anomaly. |
br | Session is being bridged (TP) mode. |