New Member

Question

The session Table can tell me if a flow is ok or not?

Forum|Forum|5 years ago
May 9, 2021
1 reply
7760 views

when I check the session table using the command "diagnose sys session list", how can I check if the flow is working or not? I mean, what about if the flow goes through the firewall but it doesn't come back?

just to give you an example, the Juniper SRX firewall writes this information in its session table, but what about Fortinet? in the "diagnose sys session list" output where is written this information?

Toshi_Esumi

SuperUser

fg50e-utm (root) # diag sys session filter dst 8.8.8.8 fg50e-utm (root) # diag sys session list session info: proto=1 proto_state=00 duration=1112682 expire=56 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255 state=log local nds statistic(bytes/packets/allow_err): org=2223960/37066/1 reply=2223840/37064/1 tuples=2 tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 1/0 orgin->sink: org out->post, reply pre->in dev=0->0/76->12 gwy=0.0.0.0/[home_ip] hook=out dir=org act=noop [home_ip]:59999->8.8.8.8:8(0.0.0.0:0) hook=in dir=reply act=noop 8.8.8.8:59999->[home_ip]:0(0.0.0.0:0) misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=00449fd0 tos=ff/ff app_list=0 app=0 url_cat=0 vwl_mbr_seq=0 vwl_service_id=0 rpdb_link_id=00000000 ngfwid=n/a dd_type=0 dd_mode=0 total session 1

emnoc

New Member

OP the cmd is similar show security flow for junos. You can get similar diagnose to matches and counts. You can see these in the bytes count field.

e.g

ession info: proto=17 proto_state=01 duration=12 expire=176 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty

statistic(bytes/packets/allow_err): org=5977/13/1 reply=3318/14/1 tuples=2

tx speed(Bps/kbps): 97/0 rx speed(Bps/kbps): 28/0

orgin->sink: org pre->post, reply pre->post dev=21->5/5->21 gwy=199.18.24.19/192.168.1.114

hook=post dir=org act=snat 192.168.1.114:49554->142.250.115.190:443(199.188.254.166:49554)

hook=pre dir=reply act=dnat 142.250.115.190:443->199.18.24.66:49554(192.168.1.114:49554)

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0

serial=0008b1c1 tos=ff/ff app_list=0 app=0 url_cat=0

vwl_mbr_seq=0 vwl_service_id=0

rpdb_link_id=00000000 ngfwid=n/a

dd_type=0 dd_mode=0

Also you can see hit-counts in a similar fashion

homefgt (root) # diag firewall iprope show 0x100004 1

idx=1 pkts/bytes=55045482/48909320872 asic_pkts/asic_bytes=0/0 flag=0x0 hit count:234899

first:2021-04-29 17:19:04 last:2021-05-10 00:05:00

established session count:108

first est:2021-04-29 17:19:04 last est:2021-05-10 00:05:00

That would be the same as show security policy hit-count. The two platform are similar but done in a fashion slightly different. I look at fortinet as an improvement over screenOS imho.

Ken Felix

TurboCAuthor

New Member

So, can I check it from the bytes count? If I have something in each directions, it means that the flow goes through the firewall and come back, otherwise there is an issue, right? statistic(bytes/packets/allow_err): org=2223960/37066/1 reply=2223840/37064/1 In the session table can I see the blocked flows? Can the flows with issues be blocked by a policy too? Can I see the deny policy id right?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded