Skip to main content
Matt_B
Staff & Editor
Matt_B
Staff & Editor
February 9, 2026

Technical Tip: FortiOS session filter and clear commands affect expectation sessions

  • February 9, 2026
  • 0 replies
  • 1337 views
Description This article describes the expected behavior that firewall 'diagnose sys session ____' commands affect the expectation session list as well as the active session list.
Scope FortiOS.
Solution

Session filter and clear commands apply to both 'active' and expectation sessions.

 

The active session list is more commonly referred to as simply the 'session table' and can be viewed with the command 'diagnose sys session list'. Note: In larger environments with many active sessions, this can display a large amount of output and it is recommended to only run this command after applying a relevant session filter. See the article Technical Tip: Using filters to clear sessions on a FortiGate in the CLI for more detail on available filters.

 

The expectation session list can be viewed with the command 'diagnose sys session list expectation'.

 

Example:

 

diagnose sys session filter dport 61533 <----- Filters session lists for TCP or UDP destination port 61533

diagnose sys session list
total session: 0 <----- No active sessions match the assigned filter.

diagnose sys session list expectation

session info: proto=17 proto_state=00 duration=137 expire=-107 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=2
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=new log npu f31
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=68->5/5->68 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.250.0.11:0->172.31.255.25:61533(10.250.0.11:0)
hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
misc=0 policy_id=6661 pol_uuid_idx=851 auth_info=0 chk_client_info=0 vd=0
serial=00242200 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0, ha_divert=0/0
no_ofld_reason: new

 

Clearing long-lived expectation sessions:

 

Negative expire timer values on expectation sessions are common and expected, since depending on the session helper which installed it, the expectation sessions may only removed when its parent active session closes. See the article Technical Tip : Session helpers and expectation sessions for more information.

If it is necessary to clear long-lived expectation sessions while not affecting healthy active sessions, it is possible to filter using 'diagnose system session filter expire 0 1'. This filter matches all sessions with an expiry timer of 1 or less, including negative values.

 

Since the filter above only matches sessions that are about to expire or have a negative expire timer, the production impact of clearing matching sessions should be limited in most environments. To minimize disruption to users, it is still considered a best practice to list matched active sessions using 'diagnose system session list' to verify unintended session matches are not occurring. If sessions that must not be cleared are matched by the filter, it is recommended to further customize the session filter to match the intended expectation sessions.


diagnose system session filter expire 0 1

diagnose system session list expectation

session info: proto=17 proto_state=00 duration=61 expire=-31 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=2
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=new log npu f31
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=68->5/5->68 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.250.0.11:0->172.31.255.25:62240(10.250.0.11:0)
hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
misc=0 policy_id=6661 pol_uuid_idx=851 auth_info=0 chk_client_info=0 vd=0
serial=0022e2b8 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0, ha_divert=0/0
no_ofld_reason: new
...

 

diagnose system session list <----- The provided filter also matches any stale active sessions which would otherwise expire in one second or less.

session info: proto=17 proto_state=00 duration=180 expire=1 timeout=0 refresh_dir=both flags=00000000 ...
total session: 1

 

diagnose system session clear

diagnose system session list expectation <----- No output any longer: the expectation session was cleared.

FGT-A (root) # 

 

Related articles:

Technical Tip: Using filters to clear sessions on a FortiGate in the CLI

Troubleshooting Tip: FortiGate session table information

Technical Tip : Session helpers and expectation sessions

Technical Tip: How to enable STUN protocol in policy
      Terms & ConditionsAccessibility statement