Fortinet black logo

Cookbook

Using a session table

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:562859
Download PDF

Using a session table

A session is a communication channel between two devices or applications across the network. Sessions allow FortiOS to inspect and act on a sequential group of packets in a session all at once instead of inspecting each packet individually. Each session has an entry in the session table that includes important information about the session.

You can view FortiGate session tables from the FortiGate GUI or CLI. The most useful troubleshooting data comes from the CLI. The session table in the GUI also provides useful summary information, particularly the current policy number that the session is using.

When to use a session table

Session tables are useful when verifying open connections. For example, if you have a web browser open to browse the Fortinet website, you would expect a session entry from your computer on port 80 to the IP address for the Fortinet website.

You can also use a session table to investigate why there are too many sessions for FortiOS to process.

GUI

To view session information, go to the FortiView page.

For information about FortiView consoles, see FortiView.

Finding the security policy for a specific connection

Every program and device on your network must have an open communication channel or session to pass information. FortiGate manages these sessions with features such as traffic shaping, antivirus scanning, and blocking known bad websites. Each session will have an entry in the session table.

If a secure web browser session is not working properly, you can check the session table to ensure the session is still active and going to the proper address. The session table can also tell you the security policy number it matches, so you can check what is happening in that policy.

1. Get the connection information.

You need to be able to identify the session you want. To do this, you will need:

  • The source IP address (usually your computer)
  • The destination IP address (if you have it)
  • The port number which is determined by the program you are using. Common ports are:
    • Port 80 (HTTP for web browsing)
    • Port 443 (HTTPS for SSL encrypted web browsing)
    • Port 22 (SSH for Secure Shell)
    • Port 25 (SMTP for Mail Transfer)
2. Find the session and policy ID

Go to FortiView > All Sessions.

To find your session, search for your source IP address, destination IP address (if you have it), and port number. The policy ID is listed after the destination information.

3. Use filters to find a session

If there are multiple pages of sessions, you can use a filter to hide the sessions you do not need. To filter the sessions in the table, click Add Filter, and select an option from the list. You can filter the table by Destination IP, Source IP, or Source Port.

CLI

The session table output in the CLI is very large. The CLI command supports filters to show only the data you need.

To view session data in the CLI:

diagnose sys session list

An entry is placed in the session table for each traffic session passing through a security policy

To filter session data:

diagnose sys session filter <option>

The values for <option> include the following:

Value

Definition

clear

Clear session filter

dintf

Destination interface

dport

Destination port

dst

Destination IP address

duration

Duration of the session

expire

Expire

negate

Inverse filter

nport

NAT'd source port

nsrc

NAT'd source ip address

policy

Policy ID

proto

Protocol number

proto-state

Protocol state

session-state1

Session state1

session-state2

Session state2

sintf

Source interface

sport

Source port

src

Source IP address

vd

Index of virtual domain, -1 matches all

Even though UDP is a sessionless protocol, FortiGate keeps track of the following states:

  • When UDP reply does not have a value of 0
  • When UDP reply has a value of 1

The following table displays firewall session states from the session table:

State

Description

log

Session is being logged

local

Session is originated from or destined for local stack

ext

Session is created by a firewall session helper

may_dirty

Session is created by a policy

For example, the session for ftp control channel will have this state but ftp data channel won't. This is also seen when NAT is enabled.

ndr

Session will be checked by IPS signature

nds

Session will be checked by IPS anomaly

br

Session is being bridged (TP) mode

Examining the firewall session list

The firewall session list displays all open sessions in FortiGate. Examine the list for strange patterns, such as no sessions apart from the internal network, or all sessions are only to one IP address.

When you examine the firewall session list in the CLI, you can use filters to reduce the output. In the GUI, the filters are part of the interface.

To examine the firewall session list in the GUI:

Go to FortiView > All Sessions.

To examine the firewall session list in the CLI:

You can use a filter to limit the sessions displayed by source, destination address, port, or NAT'd address. To use more than one filter, enter a separate line for each value.

The following example filters the session list based on a source address of 10.11.101.112:

FGT# diagnose sys session filter src 10.11.101.112

FGT# diagnose sys session list

The following example filters the session list based on a destination address of 172.20.120.222.

FGT# diagnose sys session filter dst 172.20.120.222

FGT# diagnose sys session list

To clear all sessions corresponding to a filter:

FGT# diagnose sys session filter dst 172.20.120.222

FGT# diagnose sys session clear

Checking source NAT information

Checking source NAT is important when you are troubleshooting from the remote end of the connection outside the firewall.

To check the source NAT information in the GUI:
  1. Go to FortiView > All Sessions.
  2. Check the values in the Source Nat Address and Source Nat Port columns. These columns display the IP and port values after NAT has been applied.

Checking the NAT values can help you confirm they are the values you expect, and to ensure the remote end of the sessions can see the expected IP address and port number.

To check the source NAT information in the CLI:

When you display the session list in the CLI, you can match the NAT'd source address (nsrc) and port (nport). This is useful when multiple internal IP addresses are NAT'd to a common external-facing source IP address.

FGT# diagnose sys session filter nsrc 172.20.120.122

FGT# diagnose sys session filter nport 8888

FGT# diagnose sys session list

Using a session table

A session is a communication channel between two devices or applications across the network. Sessions allow FortiOS to inspect and act on a sequential group of packets in a session all at once instead of inspecting each packet individually. Each session has an entry in the session table that includes important information about the session.

You can view FortiGate session tables from the FortiGate GUI or CLI. The most useful troubleshooting data comes from the CLI. The session table in the GUI also provides useful summary information, particularly the current policy number that the session is using.

When to use a session table

Session tables are useful when verifying open connections. For example, if you have a web browser open to browse the Fortinet website, you would expect a session entry from your computer on port 80 to the IP address for the Fortinet website.

You can also use a session table to investigate why there are too many sessions for FortiOS to process.

GUI

To view session information, go to the FortiView page.

For information about FortiView consoles, see FortiView.

Finding the security policy for a specific connection

Every program and device on your network must have an open communication channel or session to pass information. FortiGate manages these sessions with features such as traffic shaping, antivirus scanning, and blocking known bad websites. Each session will have an entry in the session table.

If a secure web browser session is not working properly, you can check the session table to ensure the session is still active and going to the proper address. The session table can also tell you the security policy number it matches, so you can check what is happening in that policy.

1. Get the connection information.

You need to be able to identify the session you want. To do this, you will need:

  • The source IP address (usually your computer)
  • The destination IP address (if you have it)
  • The port number which is determined by the program you are using. Common ports are:
    • Port 80 (HTTP for web browsing)
    • Port 443 (HTTPS for SSL encrypted web browsing)
    • Port 22 (SSH for Secure Shell)
    • Port 25 (SMTP for Mail Transfer)
2. Find the session and policy ID

Go to FortiView > All Sessions.

To find your session, search for your source IP address, destination IP address (if you have it), and port number. The policy ID is listed after the destination information.

3. Use filters to find a session

If there are multiple pages of sessions, you can use a filter to hide the sessions you do not need. To filter the sessions in the table, click Add Filter, and select an option from the list. You can filter the table by Destination IP, Source IP, or Source Port.

CLI

The session table output in the CLI is very large. The CLI command supports filters to show only the data you need.

To view session data in the CLI:

diagnose sys session list

An entry is placed in the session table for each traffic session passing through a security policy

To filter session data:

diagnose sys session filter <option>

The values for <option> include the following:

Value

Definition

clear

Clear session filter

dintf

Destination interface

dport

Destination port

dst

Destination IP address

duration

Duration of the session

expire

Expire

negate

Inverse filter

nport

NAT'd source port

nsrc

NAT'd source ip address

policy

Policy ID

proto

Protocol number

proto-state

Protocol state

session-state1

Session state1

session-state2

Session state2

sintf

Source interface

sport

Source port

src

Source IP address

vd

Index of virtual domain, -1 matches all

Even though UDP is a sessionless protocol, FortiGate keeps track of the following states:

  • When UDP reply does not have a value of 0
  • When UDP reply has a value of 1

The following table displays firewall session states from the session table:

State

Description

log

Session is being logged

local

Session is originated from or destined for local stack

ext

Session is created by a firewall session helper

may_dirty

Session is created by a policy

For example, the session for ftp control channel will have this state but ftp data channel won't. This is also seen when NAT is enabled.

ndr

Session will be checked by IPS signature

nds

Session will be checked by IPS anomaly

br

Session is being bridged (TP) mode

Examining the firewall session list

The firewall session list displays all open sessions in FortiGate. Examine the list for strange patterns, such as no sessions apart from the internal network, or all sessions are only to one IP address.

When you examine the firewall session list in the CLI, you can use filters to reduce the output. In the GUI, the filters are part of the interface.

To examine the firewall session list in the GUI:

Go to FortiView > All Sessions.

To examine the firewall session list in the CLI:

You can use a filter to limit the sessions displayed by source, destination address, port, or NAT'd address. To use more than one filter, enter a separate line for each value.

The following example filters the session list based on a source address of 10.11.101.112:

FGT# diagnose sys session filter src 10.11.101.112

FGT# diagnose sys session list

The following example filters the session list based on a destination address of 172.20.120.222.

FGT# diagnose sys session filter dst 172.20.120.222

FGT# diagnose sys session list

To clear all sessions corresponding to a filter:

FGT# diagnose sys session filter dst 172.20.120.222

FGT# diagnose sys session clear

Checking source NAT information

Checking source NAT is important when you are troubleshooting from the remote end of the connection outside the firewall.

To check the source NAT information in the GUI:
  1. Go to FortiView > All Sessions.
  2. Check the values in the Source Nat Address and Source Nat Port columns. These columns display the IP and port values after NAT has been applied.

Checking the NAT values can help you confirm they are the values you expect, and to ensure the remote end of the sessions can see the expected IP address and port number.

To check the source NAT information in the CLI:

When you display the session list in the CLI, you can match the NAT'd source address (nsrc) and port (nport). This is useful when multiple internal IP addresses are NAT'd to a common external-facing source IP address.

FGT# diagnose sys session filter nsrc 172.20.120.122

FGT# diagnose sys session filter nport 8888

FGT# diagnose sys session list