|
By default, 'sync-session-ttl' is enabled, which syncs the ipsengine session (diag ips session list) with the Fortigate kernel session (diag sys session list). This means both the ipsengine session and the kernel session will expire at approximately the same time.
This behavior is configurable with the command below:
# config ips global
set sync-session-ttl {enable | disable}
end
When sync-session-ttl is enabled, a query for Kernel session expiry time info will return similar output to the following:
session info: proto=6 proto_state=11 duration=43 expire=3556 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=2 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr synced f00 app_valid
statistic(bytes/packets/allow_err): org=1057/5/1 reply=1512/4/1 tuples=3
tx speed(Bps/kbps): 24/0 rx speed(Bps/kbps): 34/0
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.47.15.254/10.211.1.157
hook=post dir=org act=snat 10.211.1.157:59849->172.217.174.163:443(10.47.1.237:59849)
hook=pre dir=reply act=dnat 172.217.174.163:443->10.47.1.237:59849(10.211.1.157:59849)
hook=post dir=reply act=noop 172.217.174.163:443->10.211.1.157:59849(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 pol_uuid_idx=14795 auth_info=0 chk_client_info=0 vd=0
serial=00216a48 tos=ff/ff app_list=6000 app=42533 url_cat=0
route_policy_id=1
rpdb_link_id=00000001 ngfwid=n/a
npu_state=0x001108
no_ofld_reason: redir-to-ips denied-by-nturbo
A query for IPSengine session expiry time info will return output similar to the following:
SESSION id:235 serial:2189896 proto:6 group:6 age:41 idle:41 flag:0x2a6
feature:0x2 encap:0 ignore:0,0 ignore_after:9415,1
tunnel:0 children:0 flag:..s.-....-....
C-10.211.1.157:59849, S-172.217.174.163:443
state: C-ESTABLISHED/845/0/0/0/0, S-ESTABLISHED/1340/0/0/0/0 pause:0, paws:0
expire: 3559
app: unknown:0 last:42533 unknown-size:0
cnfm: ssl
set: ssl
asm: ssl
However, when 'sync-session-ttl' is disabled, output will appear similar to the following instead:
Kernel session expiry time info:
session info: proto=6 proto_state=11 duration=8 expire=3591 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=2 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr synced f00 app_valid
statistic(bytes/packets/allow_err): org=1053/5/1 reply=1506/4/1 tuples=3
tx speed(Bps/kbps): 125/1 rx speed(Bps/kbps): 180/1
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.47.15.254/10.211.1.157
hook=post dir=org act=snat 10.211.1.157:59998->142.250.199.35:443(10.47.1.237:59998)
hook=pre dir=reply act=dnat 142.250.199.35:443->10.47.1.237:59998(10.211.1.157:59998)
hook=post dir=reply act=noop 142.250.199.35:443->10.211.1.157:59998(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 pol_uuid_idx=14795 auth_info=0 chk_client_info=0 vd=0
serial=00217b34 tos=ff/ff app_list=6000 app=42533 url_cat=0
route_policy_id=1
rpdb_link_id=00000001 ngfwid=n/a
npu_state=0x001108
no_ofld_reason: redir-to-ips denied-by-nturbo
IPSengine session expiry time info:
SESSION id:471 serial:2194228 proto:6 group:6 age:14 idle:14 flag:0x2a6
feature:0x2 encap:0 ignore:0,0 ignore_after:9409,1
tunnel:0 children:0 flag:..s.-....-....
C-10.211.1.157:59998, S-142.250.199.35:443
state: C-ESTABLISHED/841/0/0/0/0, S-ESTABLISHED/1334/0/0/0/0 pause:0, paws:0
expire: 286
app: unknown:0 last:42533 unknown-size:0
cnfm: ssl
set: ssl
asm: ssl
To reduce the CPU or memory consumed by IPSengine, disable this setting to reduce the IPS engine session idle timeout to 5 minutes.
Be aware that, after the IPS engine session expires no more IPS scanning is performed on existing session traffic.
|
