Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff

Created on ‎09-05-2025 02:56 AM

Article Id 409771

Technical Tip: Different session counts under GUI FortiView and CLI output

Description This article describes why session counts are not exactly the same as CLI session list output and GUI FortiView.
Scope FortiGate.
Solution

During an active session verification on FortiGate, both the GUI FortiView and the CLI session list output can be used to analyze.

 

There are some differences in the session list output from CLI and from GUI FortiView.

The reason why the session counts are different is CLI output will show the complete session list, including local sessions.

 

Here is a sample output :

 

One_session_lab.png

 

Now, verify the output of CLI against the GUI session list:

 

diagnose sys session list

 

session info: proto=17 proto_state=01 duration=247 expire=176 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=dns-udp vlan_cos=0/255
state=log local nds
statistic(bytes/packets/allow_err): org=2010/32/1 reply=5051/32/1 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 13/0
orgin->sink: org out->post, reply pre->in dev=14->3/3->14 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 10.5.24.44:1758->8.8.8.8:53(0.0.0.0:0)
hook=in dir=reply act=noop 8.8.8.8:53->10.5.24.44:1758(0.0.0.0:0)
dst_mac=00:09:0f:09:fe:23
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=15891737 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local  -------------------------------------> Local session for DNS.

 

session info: proto=6 proto_state=11 duration=745391 expire=3448 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=197277/3595/1 reply=243491/3140/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=5->4/4->5 gwy=10.5.63.254/0.0.0.0
hook=post dir=org act=snat 10.162.13.127:63155->98.66.133.186:443(10.5.56.44:63155)
hook=pre dir=reply act=dnat 98.66.133.186:443->10.5.56.44:63155(10.162.13.127:63155)
hook=post dir=reply act=noop 98.66.133.186:443->10.162.13.127:63155(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:6d:65:72:39:01
misc=0 policy_id=3 pol_uuid_idx=16104 auth_info=0 chk_client_info=0 vd=0
serial=148ca598 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x40001108
no_ofld_reason: npu-flag-off ---------------------> Pass through session, same as in GUI.

 

The section no_ofld_reason will show the reason why there are multiple sessions in the CLI output.

If the reason is Local, that means that it is a self-originated local traffic:

 

The same can be verified in Local traffic logs :

 

Screenshot 2025-09-05 121802.png
176
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.