Using a session table
A session is a communication channel between two devices or applications across the network. Sessions allow FortiOS to inspect and act on a sequential group of packets in a session all at once instead of inspecting each packet individually. Each session has an entry in the session table that includes important information about the session.
You can view FortiGate session tables from the FortiGate GUI or CLI. The most useful troubleshooting data comes from the CLI. The session table in the GUI also provides useful summary information, particularly the current policy number that the session is using.
When to use a session table
Session tables are useful when verifying open connections. For example, if you have a web browser open to browse the Fortinet website, you would expect a session entry from your computer on port 80 to the IP address for the Fortinet website.
You can also use a session table to investigate why there are too many sessions for FortiOS to process.
GUI
To view session information, go to the FortiView page.
For information about FortiView consoles, see FortiView.
Finding the security policy for a specific connection
Every program and device on your network must have an open communication channel or session to pass information. FortiGate manages these sessions with features such as traffic shaping, antivirus scanning, and blocking known bad websites. Each session will have an entry in the session table.
If a secure web browser session is not working properly, you can check the session table to ensure the session is still active and going to the proper address. The session table can also tell you the security policy number it matches, so you can check what is happening in that policy.
1. Get the connection information.
You need to be able to identify the session you want. To do this, you will need:
- The source IP address (usually your computer)
- The destination IP address (if you have it)
- The port number which is determined by the program you are using. Common ports are:
- Port 80 (HTTP for web browsing)
- Port 443 (HTTPS for SSL encrypted web browsing)
- Port 22 (SSH for Secure Shell)
- Port 25 (SMTP for Mail Transfer)
2. Find the session and policy ID
Go to FortiView > All Sessions.
To find your session, search for your source IP address, destination IP address (if you have it), and port number. The policy ID is listed after the destination information.
3. Use filters to find a session
If there are multiple pages of sessions, you can use a filter to hide the sessions you do not need. To filter the sessions in the table, click Add Filter, and select an option from the list. You can filter the table by Destination IP, Source IP, or Source Port.
CLI
The session table output in the CLI is very large. The CLI command supports filters to show only the data you need.
To view session data in the CLI:
diagnose sys session list
An entry is placed in the session table for each traffic session passing through a security policy
To filter session data:
diagnose sys session filter <option>
The values for <option>
include the following:
Value |
Definition |
---|---|
|
Clear session filter |
|
Destination interface |
|
Destination port |
|
Destination IP address |
|
Duration of the session |
|
Expire |
|
Inverse filter |
|
NAT'd source port |
|
NAT'd source ip address |
|
Policy ID |
|
Protocol number |
|
Protocol state |
|
Session state1 |
|
Session state2 |
|
Source interface |
|
Source port |
|
Source IP address |
|
Index of virtual domain, |
Even though UDP is a sessionless protocol, FortiGate keeps track of the following states:
- When UDP reply does not have a value of 0
- When UDP reply has a value of 1
The following table displays firewall session states from the session table:
State |
Description |
---|---|
log |
Session is being logged |
local |
Session is originated from or destined for local stack |
ext |
Session is created by a firewall session helper |
may_dirty |
Session is created by a policy For example, the session for |
ndr |
Session will be checked by IPS signature |
nds |
Session will be checked by IPS anomaly |
br |
Session is being bridged (TP) mode |
Examining the firewall session list
The firewall session list displays all open sessions in FortiGate. Examine the list for strange patterns, such as no sessions apart from the internal network, or all sessions are only to one IP address.
When you examine the firewall session list in the CLI, you can use filters to reduce the output. In the GUI, the filters are part of the interface.
To examine the firewall session list in the GUI:
Go to FortiView > All Sessions.
To examine the firewall session list in the CLI:
You can use a filter to limit the sessions displayed by source, destination address, port, or NAT'd address. To use more than one filter, enter a separate line for each value.
The following example filters the session list based on a source address of 10.11.101.112:
FGT# diagnose sys session filter src 10.11.101.112
FGT# diagnose sys session list
The following example filters the session list based on a destination address of 172.20.120.222.
FGT# diagnose sys session filter dst 172.20.120.222
FGT# diagnose sys session list
To clear all sessions corresponding to a filter:
FGT# diagnose sys session filter dst 172.20.120.222
FGT# diagnose sys session clear
Checking source NAT information
Checking source NAT is important when you are troubleshooting from the remote end of the connection outside the firewall.
To check the source NAT information in the GUI:
- Go to FortiView > All Sessions.
- Check the values in the Source Nat Address and Source Nat Port columns. These columns display the IP and port values after NAT has been applied.
Checking the NAT values can help you confirm they are the values you expect, and to ensure the remote end of the sessions can see the expected IP address and port number.
To check the source NAT information in the CLI:
When you display the session list in the CLI, you can match the NAT'd source address (nsrc
) and port (nport
). This is useful when multiple internal IP addresses are NAT'd to a common external-facing source IP address.
FGT# diagnose sys session filter nsrc 172.20.120.122
FGT# diagnose sys session filter nport 8888
FGT# diagnose sys session list