Skip to main content
ekrishnan
Staff
ekrishnan
Staff
August 10, 2022

Technical Tip: Adding multiple destination or source address on session filter

  • August 10, 2022
  • 0 replies
  • 3436 views
Description This article describes how to add Multiple Destination or Source addresses to the Session Filter.
Scope FortiGate.
Solution

While troubleshooting, the session filter command is used in FortiGate to check the DNAT/SNAT, policy, gateway, etc, for a particular source towards a particular destination IP.

This KB article explains how to add multiple source and destination IPs to the filter so that the details for the specified IPs (sources and destinations) can be checked at the same time.

 

Example used here, IP: 1.1.1.1 and 8.8.8.8 as destinations

 

diagnose sys session filter ext-dst 1.1.1.1

diagnose sys session filter ext-dst 8.8.8.8

 

To verify if the filter has been set:

 

diagnose sys session filter

 

session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Extended filters:
Destination IP List:
1.1.1.1
8.8.8.8  -> Here, both the IPs can be seen in the destination IP list.

 

To view the output:

 

diagnose sys session list

 

Example output:

 

session info: proto=1 proto_state=00 duration=7 expire=493 timeout=500 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 15/0 rx speed(Bps/kbps): 15/0
orgin->sink: org pre->post, reply pre->post dev=4->5/5->4 gwy=10.47.15.254/10.213.0.2
hook=post dir=org act=snat 10.213.0.2:1->8.8.8.8:8(10.47.3.94:60417)
hook=pre dir=reply act=dnat 8.8.8.8:60417->10.47.3.94:0(10.213.0.2:1)
src_mac=00:45:72:74:1b:01
misc=0 policy_id=7 pol_uuid_idx=14738 auth_info=0 chk_client_info=0 vd=0
serial=000094d0 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=3
rpdb_link_id=7e000003 rpdb_svc_id=65538 ngfwid=n/a
npu_state=00000000

 

session info: proto=1 proto_state=00 duration=5 expire=495 timeout=500 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 23/0 rx speed(Bps/kbps): 23/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.47.31.254/10.213.0.2
hook=post dir=org act=snat 10.213.0.2:1->1.1.1.1:8(10.47.19.94:60417)
hook=pre dir=reply act=dnat 1.1.1.1:60417->10.47.19.94:0(10.213.0.2:1)
src_mac=00:45:72:74:1b:01
misc=0 policy_id=1 pol_uuid_idx=14737 auth_info=0 chk_client_info=0 vd=0
serial=000094da tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
total session 3

 

Similarly, one can also set to define multiple source IPs using the command below:

 

diagnose sys session filter ext-src x.x.x.x

diagnose sys session filter ext-src y.y.y.y

 

Note: Keep the 'src' filter or 'dst' filter unset when using session filters to list sessions from multiple sources and/or destinations using the extended match list options 'ext-src' and 'ext-dst', which otherwise may not pull up all the matching sessions.

 

For example, while using both the dst filter and the ext-dst filter, expected sessions are not filtered.

 

FortiGate-300E # diagnose sys session filter dst 8.8.4.4

FortiGate-300E # diagnose sys session filter ext-dst 4.2.2.4

FortiGate-300E # diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: 8.8.4.4-8.8.4.4   <-----
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Extended filters:
Destination IP List:
4.2.2.4    <-----

FortiGate-300E # diagnose sys session list
total session: 0   <--- No sessions filtered.

 

FortiGate-300E # diagnose sys session filter dst 0.0.0.0  <--- Unset dst filter.

FortiGate-300E # diagnose sys session filter ext-dst 8.8.4.4

FortiGate-300E # diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any   
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Extended filters:
Destination IP List:
4.2.2.4
8.8.4.4


FortiGate-300E # diagnose sys session list | grep total
total session: 2    <--- Filtered 2 sessions.

 

Session Filter reference: 

Technical Tip: Using filters to clear sessions on a FortiGate in the CLI
    Terms & ConditionsAccessibility statement