Description |
This article describes the meaning of 'no session match' in debug flow. This document further describes how to log 'no session matched' in the traffic log.
|
Scope | FortiGate. |
Solution |
To log the 'no session matched' event in the traffic log, the option 'log-invalid-packet' needs to be enabled.
config log setting set log-invalid-packet enable
Then the 'no session matched' log can be recorded in the traffic log. The following is a sample log message of 'no session matched'.
date=2023-09-08 time=12:46:49 logid="0000000007" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1694148409 srcip=10.98.98.101 srcport=61613 srcintf="port2" srcintfrole="undefined" dstip=10.40.30.90 dstport=22 dstintf=unknown-0 dstintfrole="undefined" proto=6 action="deny" policyid=0 policytype="policy" service="SSH" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="no session matched"
Basically, it means that FortiGate has received a packet but there was no established session for it, e.g. the initial TCP 3-way handshake was not seen by FortiGate. One possibility is there was a change of routing path.
For example, initially, the TCP session was routed via an original path without going through FortiGate. Then there was a change of routing causing the TCP session to be routed to this FortiGate. However since FortiGate does not have a session established for this TCP session, the 'no session matched' log is recorded. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.