Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ekrishnan
Staff
Staff

Created on ‎08-10-2022 09:13 AM Edited on ‎10-29-2025 02:09 AM By Community Manager

Article Id 220463

Technical Tip: Adding multiple destination or source address on session filter

Description This article describes how to add Multiple Destination or Source addresses to the Session Filter.
Scope FortiGate.
Solution

While troubleshooting, the session filter command is used in FortiGate to check the DNAT/SNAT, policy, gateway, etc, for a particular source towards a particular destination IP.

This KB article explains how to add multiple source and destination IPs to the filter so that the details for the specified IPs (sources and destinations) can be checked at the same time.

 

Example used here, IP: 1.1.1.1 and 8.8.8.8 as destinations

 

diagnose sys session filter ext-dst 1.1.1.1

diagnose sys session filter ext-dst 8.8.8.8

 

To verify if the filter has been set:

 

diagnose sys session filter

 

session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Extended filters:
Destination IP List:
1.1.1.1
8.8.8.8  -> Here, both the IPs can be seen in the destination IP list.

 

To view the output:

 

diagnose sys session list

 

Example output:

 

session info: proto=1 proto_state=00 duration=7 expire=493 timeout=500 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 15/0 rx speed(Bps/kbps): 15/0
orgin->sink: org pre->post, reply pre->post dev=4->5/5->4 gwy=10.47.15.254/10.213.0.2
hook=post dir=org act=snat 10.213.0.2:1->8.8.8.8:8(10.47.3.94:60417)
hook=pre dir=reply act=dnat 8.8.8.8:60417->10.47.3.94:0(10.213.0.2:1)
src_mac=00:45:72:74:1b:01
misc=0 policy_id=7 pol_uuid_idx=14738 auth_info=0 chk_client_info=0 vd=0
serial=000094d0 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=3
rpdb_link_id=7e000003 rpdb_svc_id=65538 ngfwid=n/a
npu_state=00000000

 

session info: proto=1 proto_state=00 duration=5 expire=495 timeout=500 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 23/0 rx speed(Bps/kbps): 23/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.47.31.254/10.213.0.2
hook=post dir=org act=snat 10.213.0.2:1->1.1.1.1:8(10.47.19.94:60417)
hook=pre dir=reply act=dnat 1.1.1.1:60417->10.47.19.94:0(10.213.0.2:1)
src_mac=00:45:72:74:1b:01
misc=0 policy_id=1 pol_uuid_idx=14737 auth_info=0 chk_client_info=0 vd=0
serial=000094da tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000
total session 3

 

Similarly, one can also set to define multiple source IPs using the command below:

 

diagnose sys session filter ext-src x.x.x.x

diagnose sys session filter ext-src y.y.y.y

 

Note: Keep the 'src' filter or 'dst' filter unset when using session filters to list sessions from multiple sources and/or destinations using the extended match list options 'ext-src' and 'ext-dst', which otherwise may not pull up all the matching sessions.

 

For example, while using both the dst filter and the ext-dst filter, expected sessions are not filtered.

 

FortiGate-300E # diagnose sys session filter dst 8.8.4.4

FortiGate-300E # diagnose sys session filter ext-dst 4.2.2.4

FortiGate-300E # diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: 8.8.4.4-8.8.4.4   <-----
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Extended filters:
Destination IP List:
4.2.2.4    <-----

FortiGate-300E # diagnose sys session list
total session: 0   <--- No sessions filtered.

 

FortiGate-300E # diagnose sys session filter dst 0.0.0.0  <--- Unset dst filter.

FortiGate-300E # diagnose sys session filter ext-dst 8.8.4.4

FortiGate-300E # diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any   
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Extended filters:
Destination IP List:
4.2.2.4
8.8.4.4


FortiGate-300E # diagnose sys session list | grep total
total session: 2    <--- Filtered 2 sessions.

 

Session Filter reference: 

Technical Tip: Using filters to clear sessions on a FortiGate in the CLI
Labels:
2898
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.