Technical Tip: Using filters to clear sessions on a FortiGate in the CLI
Description
Scope
FortiGate.
Solution
Clearing sessions matching some common filtering criteria can be done from the CLI in 2 steps:
- Set up a session filter.
The base command is 'diagnose sys session filter <options>'.
To see the options, type:
diagnose sys session filter ?
vd Index of virtual domain. -1 matches all.
vd-name Name of virtual domain. -1 or "any" matches all.
sintf Source interface.
dintf Destination interface.
src Source IP address.
nsrc NAT'd source ip address
dst Destination IP address.
proto Protocol number.
sport Source port.
nport NAT'd source port
dport Destination port.
policy Policy ID.
expire expire
duration duration
proto-state Protocol state.
session-state1 Session state1.
session-state2 Session state2.
ext-src Add a source address to the extended match list.
ext-dst Add a destination address to the extended match list.
ext-src-negate Add a source address to the negated extended match list.
ext-dst-negate Add a destination address to the negated extended match list.
clear Clear session filter.
negate Inverse filter. To see the current filter settings, type:
Notes:
• The following options are only available in FortiOS version 5.4.1 and above. See the article Technical Tip: Filter session table on states.
session-state1 Session state1.
session-state2 Session state2.
• The following options are only available in FortiOS version 6.0.4 and above. See the article Technical Tip: Adding multiple destination or source address on session filter.
ext-src <----- Add a source address to the extended match list.
ext-dst <----- Add a destination address to the extended match list.
ext-src-negate <----- Add a source address to the negated extended match list.
ext-dst-negate <----- Add a destination address to the negated extended match list.
To see the current filter settings, type:
diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Example of filter matching a source IP and a destination port :
diagnose sys session filter src 10.160.0.1
diagnose sys session filter dport 80
diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: 10.160.0.1-10.160.0.1
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: 80-80
policy id: any
expire: any
duration: any
state1: any
state2: any
Example of filter matching a range of source IPs and a range of destination ports:
diagnose sys session filter src 10.160.0.1 10.160.0.10
diagnose sys session filter dport 80 888
diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: 10.160.0.1-10.160.0.10
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: 80-888
policy id: any
expire: any
duration: any
state1: any
state2: any
Example of a filter matching a destination IP without filtering any port:
diagnose sys session filter dst 10.160.0.1
diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: 10.160.0.1-10.160.0.1
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Example of filter matching a source IP without filtering any port:
diagnose sys session filter src 10.160.0.1
diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: 10.160.0.1-10.160.0.1
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Example of session list output:
diagnose sys session list
session info: proto=6 proto_state=01 duration=536 expire=3596 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log local
statistic(bytes/packets/allow_err): org=12719/77/1 reply=29093/41/1 tuples=2
tx speed(Bps/kbps): 23/0 rx speed(Bps/kbps): 87/0
orgin->sink: org out->post, reply pre->in dev=18->22/22->18 gwy=0.0.0.0/10.109.49.31
hook=out dir=org act=noop 10.160.0.1:5627->96.45.46.46:853(0.0.0.0:0)
hook=in dir=reply act=noop 96.45.46.46:853->10.160.0.1:5627(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=012c0e1d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
Session filter and clear commands also apply to expectation sessions; see the article Technical Tip: FortiOS session filter and clear commands affect expectation sessions.
-
Clear the session(s) matching the filter defined previously with the command:
diagnose sys session clear
Warning:
Using the 'diagnose sys session clear' command without any filter will clear all sessions currently opened on the FortiGate. Session filters only apply within the CLI session in which they were applied. For this reason, it is recommended to always check the sessions matched by the filter with the 'diagnose sys session list' command before clearing them.
Related articles:
Troubleshooting Tip: FortiGate session table information