Skip to main content
ysatake
Staff
ysatake
Staff
December 29, 2025

Technical Tip: How to check hardware session statistics for a hyperscale firewall VDOM

  • December 29, 2025
  • 0 replies
  • 335 views
Description

 

This article describes how to check hardware session statistics for each hyperscale firewall VDOM on a FortiGate configured with log2host.

 

Scope

 

FortiOS 7.6.0 or later with hyperscale VDOMs configured.

 

Solution

 

On a hyperscale FortiGate, the ‘diagnose sys npu-session stat’ command normally provides only system-wide hardware session statistics.

 

FGT (global) # diagnose system npu-session stat
HW session cnt = 999750, setup rate = 0 (v4:0)
HW log(ps) rate = 0, log(pm) rate = 0

 

If hardware session statistics for a specific hyperscale firewall VDOM or a specific firewall policy are required on a system with multiple hyperscale firewall VDOMs, follow the steps below.

 

  1. Identify the VDOM ID of the hyperscale firewall VDOM.

FGT (vdom) # edit test-hw3
current vf=test-hw3:498     <----- 498 is the VDOM ID.

 

  1. Check hardware session statistics for the specified hyperscale firewall VDOM using the ‘diagnose npu np7 vdom-session-stats <VDOM ID>’ command.

 

FGT (global) # diagnose npu np7 vdom-session-stats 498
HW session stats for vdom 498, policy -1:
CCS: FWD 409962, REV 0
CPS: FWD 0, REV 0

 

The meaning of each field is as follows.

  • CCS: Concurrent sessions.
  • CPS: Connection per second.
  • FWD: Number of standard hardware firewall sessions.
  • REV: Number of hardware firewall sessions created by Endpoint Independent Filtering (cgn-eif).

 

  1. If statistics for a specific firewall policy are required, add the policy ID option.

FGT (global) # diagnose npu np7 vdom-session-stats 498 38              <----- Policy ID 38 in VDOM ID 498.
HW session stats for vdom 498, policy 38:
CCS: FWD 65532, REV 0
CPS: FWD 0, REV 0

 

Special note:

This method can be used only when the log-processor setting is configured as 'host'.

 

FGT (global) # config log npu-server
FGT (npu-server) # show | grep log-processor
set log-processor host

 

If the ‘log-processor hardware’ setting is used, the following error is displayed and this method cannot be used.

 

FGT (global) # diagnose npu np7 vdom-session-stats
The command is only available for log2host case!

Terms & ConditionsAccessibility statement