Description | The article describes how to do a fast check of the session list and how to filter by IP address, ports, or serial-id (from debug flow) using the 'grep'. |
Scope | FortiGate v6.0.x, v6.2.x, v6.4.x, v7.0.x, v7.2.x. |
Solution |
In many environments, FortiGate is responsible for handling a huge amount of traffic and sessions.
During troubleshooting sometimes, only the destination port, source port, or IP address is known but not sure if that IP address is the source IP or destination.
The command below will show a list of all sessions on the unit, including source IP, source port, destination IP, destination IP, SNAT, and DNAT.
FW_prod (root) # get system session list
The FortiGate CLI allows using the 'grep' command which will help to filter the output for specific strings.
For this case, it is possible to run the following command with grep :
FG200E-2 # get system session list | grep 1.1.1.1
The following command adds an argument '-c' which will count how many times 1.1.1.1 is encountered in the output.
FG200E-2 # get system session list | grep 1.1.1.1 -c
Sometimes during troubleshooting with 'debug flow', it can shows an output like this one :
id=65308 trace_id=48 func=print_pkt_detail line=5875 msg="vd-root:0 received a packet(proto=1, 10.10.10.1:38089->10.10.10.200:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=38089, seq=61729." It is an output from debug flow for the existing session with a particular id, in this case, the serial is id-002b1aec.
On 'diagnose sys session filter', there is no option to filter by session-id (serial id), so it is possible to use the following command which can filter by the serial-id and display all fields from session 14 lines before the match and 3 lines after the match :
FW_prod (root) # diagnose sys session list | grep -f -A4 -B13 002b1ae session info: proto=1 proto_state=00 duration=1589282 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
The following command can be filtered by Both IP Address and Port:
diagnose sys session list | grep <source IP> | grep <port_number>
Example: To check for sessions from a specific source IP (1.1.1.1) on port 443 (HTTPS):
diagnose sys session list | grep 1.1.1.1 | grep 443. id=12345, proto=6, srcip=1.1.1.1, dstip=10.0.0.1, srcport=12345, dstport=443, ...
This is useful for instance when a debug connection is done which is already established and wants to do a fast check on the session list for a particular session about the duration, a policy that allowed this, a UTM profile, or other info from session output.
For this example, the 'diagnose sys session filter' is not used, so it is filtered by using 'grep' to the full session list. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.