FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff
Description This article describes how to add Multiple Destination or Source Address on Session Filter.
Scope FortiGate.
Solution

While troubleshooting in customer environment, session filter command is made use in FortiGate to check the DNAT/SNAT, policy, gateway etc for a particular source towards a particular destination IP.

This KB article explains on how to add multiple source and destination IP on the filter so that the details for the specified IPs (sources and destinations) can be checked at the same time.

 

Example used here, IP: 1.1.1.1 and 8.8.8.8 as destinations

 

  # diag sys session filter ext-dst 1.1.1.1

 # diag sys session filter ext-dst 8.8.8.8

 

To verify if the filter has been set:

 

# diag sys session filter

 

session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Extended filters:
Destination IP List:
1.1.1.1
8.8.8.8  >> Here both the IPs can be seen in the destination IP list

 

To view the output:

 

# diagnose sys session list

 

Example output:

 

session info: proto=1 proto_state=00 duration=7 expire=493 timeout=500 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 15/0 rx speed(Bps/kbps): 15/0
orgin->sink: org pre->post, reply pre->post dev=4->5/5->4 gwy=10.47.15.254/10.213.0.2
hook=post dir=org act=snat 10.213.0.2:1->8.8.8.8:8(10.47.3.94:60417)
hook=pre dir=reply act=dnat 8.8.8.8:60417->10.47.3.94:0(10.213.0.2:1)
src_mac=00:45:72:74:1b:01
misc=0 policy_id=7 pol_uuid_idx=14738 auth_info=0 chk_client_info=0 vd=0
serial=000094d0 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=3
rpdb_link_id=7e000003 rpdb_svc_id=65538 ngfwid=n/a
npu_state=00000000

 

 

session info: proto=1 proto_state=00 duration=5 expire=495 timeout=500 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 23/0 rx speed(Bps/kbps): 23/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.47.31.254/10.213.0.2
hook=post dir=org act=snat 10.213.0.2:1->1.1.1.1:8(10.47.19.94:60417)
hook=pre dir=reply act=dnat 1.1.1.1:60417->10.47.19.94:0(10.213.0.2:1)
src_mac=00:45:72:74:1b:01
misc=0 policy_id=1 pol_uuid_idx=14737 auth_info=0 chk_client_info=0 vd=0
serial=000094da tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
total session 3

 

Similarly one can also set to define multiple source IPs using the command below

 

# diagnose sys session filter ext-src x.x.x.x

# diagnose sys session filter ext-src y.y.y.y

 

Session Filter reference: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-clear-sessions-on-a-Forti...

Contributors