|The article describes how to do a fast check of the session list and how to filter by IP address, ports, or serial-id (from debug flow) using the 'grep'.
|FortiGate 6.0.x, 6.2.x, 6.4.x,7.0.x, 7.2.x.
In many environments, FortiGate is responsible to handle a huge amount of traffic and sessions.
During troubleshooting sometimes, only the destination port, source port, or only IP address is known but not sure if that IP address is the source IP or destination.
The command below will show a list of all sessions on the unit, including source IP, source port, destination IP, destination IP, SNAT, and DNAT.
FW_prod (root) # get system session list
The FortiGate CLI allows using the 'grep' command which will help to filter the output for specific strings.
For this case, it is possible to run the following command with grep :
FG200E-2 # get system session list | grep 22.214.171.124
The following command adds an argument '-c' which will count how many times 126.96.36.199 is encountered in the output.
FG200E-2 # get system session list | grep 188.8.131.52 -c
Sometimes during troubleshooting with 'debug flow', it can shows an output like this one :
id=65308 trace_id=48 func=print_pkt_detail line=5875 msg="vd-root:0 received a packet(proto=1, 10.10.10.1:38089->10.10.10.200:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=38089, seq=61729."
It is an output from debug flow for the existing session with a particular id, in this case, the serial is id-002b1aec.
On 'diagnose sys session filter', there is no option to filter by session-id (serial id), so it is possible to use the following command which can filter by the serial-id and display all fields from session 14 lines before the match and 3 lines after the match :
FW_prod (root) # diagnose sys session list | grep -f -A4 -B13 002b1ae
session info: proto=1 proto_state=00 duration=1589282 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
This is useful for instance when a debug connection is done which is already established and wants to do a fast check on the session list for a particular session about the duration, a policy that allowed this, a UTM profile, or other info from session output.
For this example, the 'diagnose sys session filter' is not used, so it is filtered by using 'grep' to the full session list.