Using a session table

A session is a communication channel between two devices or applications across the network. Sessions allow FortiOS to inspect and act on a sequential group of packets in a session all at once instead of inspecting each packet individually. Each session has an entry in the session table that includes important information about the session.

You can view FortiGate session tables from the FortiGate GUI or CLI. The most useful troubleshooting data comes from the CLI. The session table in the GUI also provides useful summary information, particularly the current policy number that the session is using.

When to use a session table

Session tables are useful when verifying open connections. For example, if you have a web browser open to browse the Fortinet website, you would expect a session entry from your computer on port 80 to the IP address for the Fortinet website.

You can also use a session table to investigate why there are too many sessions for FortiOS to process.

GUI

To view session information in the GUI:
  1. Go to Security Fabric > Physical Topology.
  2. From the Metrics dropdown, select Sessions.
Finding the security policy for a specific connection

Every program and device on your network must have an open communication channel or session to pass information. FortiGate manages these sessions with features such as traffic shaping, antivirus scanning, and blocking known bad websites. Each session will have an entry in the session table.

If a secure web browser session is not working properly, you can check the session table to ensure the session is still active and going to the proper address. The session table can also tell you the security policy number it matches, so you can check what is happening in that policy.

1. Get the connection information.

You need to be able to identify the session you want. To do this, you will need:

  • The source IP address (usually your computer)
  • The destination IP address (if you have it)
  • The port number which is determined by the program you are using. Common ports are:
    • Port 80 (HTTP for web browsing)
    • Port 443 (HTTPS for SSL encrypted web browsing)
    • Port 22 (SSH for Secure Shell)
    • Port 25 (SMTP for Mail Transfer)
2. Find the session and policy ID

Go to Security Fabric > Physical Topology. From the Metrics dropdown, select Sessions.

To find your session, search for your source IP address, destination IP address (if you have it), and port number. The policy ID is listed after the destination information.

3. Use filters to find a session

If there are multiple pages of sessions, you can use a filter to hide the sessions you do not need. To filter the sessions in the table, click Add Filter, and select an option from the list. You can filter the table by Destination IP, Source IP, or Source Port.

CLI

The session table output in the CLI is very large. The CLI command supports filters to show only the data you need.

To view session data in the CLI:

diagnose sys session list

An entry is placed in the session table for each traffic session passing through a security policy

To filter session data:

diagnose sys session filter <option>

The values for <option> include the following:

Value

Definition

clear

Clear session filter

dintf

Destination interface

dport

Destination port

dst

Destination IP address

duration

Duration of the session

expire

Expire

negate

Inverse filter

nport

NAT'd source port

nsrc

NAT'd source ip address

policy

Policy ID

proto

Protocol number

proto-state

Protocol state

session-state1

Session state1

session-state2

Session state2

sintf

Source interface

sport

Source port

src

Source IP address

vd

Index of virtual domain, -1 matches all

Even though UDP is a sessionless protocol, FortiGate keeps track of the following states:

  • When UDP reply does not have a value of 0
  • When UDP reply has a value of 1

The following table displays firewall session states from the session table:

State

Description

log

Session is being logged

local

Session is originated from or destined for local stack

ext

Session is created by a firewall session helper

may_dirty