Skip to main content
acozzetti
Staff
acozzetti
Staff
July 15, 2020

Technical Tip: Filter session table on states

  • July 15, 2020
  • 0 replies
  • 7416 views

Description

 

This article describes how to filter the FortiGate session table on the CLI based on session states.

 

Scope

 

FortiGate.

Solution

 

Upon running the 'diagnose sys session filter' CLI command, the options 'session-state1' and 'session-state2' are used to filter sessions based on session states.

The parameters required are:

 

diagnose sys session filter <session-state1|session-state2> <state_bits> <state_bits_mask>

 

state_bits: identify states to be used as a filter. For example, for 'session-state1':

  • 00000200: may_dirty.
  • 04000000: synced.
  • 00100000: nlb.
  • 00000004: log.

 

Press enter on the following CLI commands to display available values for session states to be used as a filter:

 

diagnose sys session filter session-state1

 

Arguments: state_bits state_bits_mask  state1 bits: |00000001: new               |00000002: redir             |00000004: log               |00000008: block              |00000010: oe                |00000020: re                |00000040: wccp              |00000080: dirty              |00000100: local             |00000200: may_dirty         |00000400: per_ip            |00000800: auth               |00001000: nb                |00002000: ndr               |00004000: nds               |00008000: br                 |00010000: npu               |00020000: npd               |00040000: src-vis           |00080000: ssc                |00100000: nlb               |00200000: dst-vis           |00400000: 3way              |00800000: pol_sniff          |01000000: authed            |02000000: need_sync         |04000000: synced            |08000000: os                 |10000000: rs                |20000000: ha_replicate      |40000000: ndri

 

Additional defined session-state1 bits not appearing in CLI help:


|80000000: EXPECT (f31)

diagnose sys session filter session-state2

 

Arguments: state_bits state_bits_mask  state2 bits: |00000008: pcp_outbound      |00000010: pcp_inbound       |00000020: dym_src_port      |00000040: inherit_sockport   |00000100: netflow-origin    |00000200: netflow-reply     |00000400: syn_ses           |00000800: fec                |00001000: nosyn_ses         |00002000: csf_syncd_log     |00004000: app_valid         |00008000: url_cat_valid      |00010000: route_preserve    |00040000: exp_notify        |00080000: pkt_dup           |00100000: force_dup          |00200000: de_dup            |00400000: dynamic_shaping   |00800000: tcp_3way_rtt      |01000000: access_proxy       |02000000: svc_dup           |04000000: rpdb_dup

 

Additional defined session-state2 bits not appearing in CLI help:

 

|00000001 LOG_FAILED_ATTEMPT

|00000002 LOG_FAILED_DNS

|00000004 LOG_FAILED_IP_CONN

|00020000 CLUSTER_SYNC

 

The following additional session-state2 are only relevant for SLBC (chassis FortiGate) deployments.

 

|10000000 LO_FWD

|20000000 LI_REDIR

 

The following additional session-state2 bits are only relevant for SLBC with IPsec VPN load balancing, see IPsec VPN load balancing.

 

|40000000 LO_MFPM_FWD

|80000000 LI_MFPM_REDIR

 

Note: states can be combined by adding them.

state_bits_mask: this mask makes it possible to perform a search of sessions that contain only the specified filters (mask: FFFFFFFF) or sessions that include these flags and also other states (mask: same as 'state_bits').

Examples:

 

  1. Filter sessions that have only states: 'may_dirty' 'nlb' 'nosyn_ses':

 

diagnose sys session filter clear
diagnose sys session filter session-state1 00100200 ffffffff
diagnose sys session filter session-state2 00001000 ffffffff
diagnose sys session list
session info: slot=0 ori_slot=0 proto=6 proto_state=02 duration=0 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=8/8
state=may_dirty nlb nosyn_ses
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=103->105/105->103 gwy=169.254.0.66/0.0.0.0
hook=pre dir=org act=noop 10.101.10.5:11971->172.168.17.2:514(0.0.0.0:0)
hook=post dir=reply act=noop 172.168.17.2:514->10.101.10.5:11971(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=1
serial=0117979c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason:  non-npu-intf
total session 60

 

  1. Filter sessions that have a state 'log' and any other state:

 

diagnose sys session filter clear
diagnose sys session filter session-state1 00000004 00000004
diagnose sys session list
session info: slot=0 ori_slot=0 proto=17 proto_state=00 duration=1179952 expire=139 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8
state=log local may_dirty
statistic(bytes/packets/allow_err): org=1415664/19662/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=4->0/0->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.5.21.24:1950->10.5.31.255:8014(0.0.0.0:0)
hook=post dir=reply act=noop 10.5.31.255:8014->10.5.21.24:1950(0.0.0.0:0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=2
serial=00000872 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason:  local
total session 20

 

Warning:

 

Entering the 'diagnose sys session clear' command without any filter clears all sessions on the firewall and will cause network disruption.

 

diagnose sys session clear

Terms & ConditionsAccessibility statement