Description

This article describes how to filter FortiGate session table on CLI based on session states.

Solution

Upon running the 'diagnose sys session filter' CLI command, the options 'session-state1' and 'session-state2' are used to filter sessions based on session states.

The parameters required are:

diagnose sys session filter <session-state1|session-state2> <state_bits> <state_bits_mask>

state_bits: identify states to be used as filter. For example, for 'session-state1':

• 00000200: may_dirty
• 04000000: synced
• 00100000: nlb
• 00000004: log
• Etc.

Press enter on the following CLI commands to display available values for session states to be used as a filter:

diagnose sys session filter session-state1

diagnose sys session filter session-state2

Note: states can be combined together.

state_bits_mask: this mask makes it possible to perform for search of sessions that contain only the specified filters (mask: FFFFFFFF) or sessions which include these flags and also other states (mask: 'same as state_bits').

Examples:

1. Filter sessions that have only states: 'may_dirty' 'nlb' 'nosyn_ses':

diagnose sys session filter clear
diagnose sys session filter session-state1 00100200 ffffffff
diagnose sys session filter session-state2 00001000 ffffffff
diagnose sys session list
session info: slot=0 ori_slot=0 proto=6 proto_state=02 duration=0 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=8/8
state=may_dirty nlb nosyn_ses
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=103->105/105->103 gwy=169.254.0.66/0.0.0.0
hook=pre dir=org act=noop 10.101.10.5:11971->172.168.17.2:514(0.0.0.0:0)
hook=post dir=reply act=noop 172.168.17.2:514->10.101.10.5:11971(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=1
serial=0117979c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason:  non-npu-intf
total session 60

2. Filter sessions that have a state 'log' and any other state:

diagnose sys session filter clear
diagnose sys session filter session-state1 00000004 00000004
diagnose sys session list
session info: slot=0 ori_slot=0 proto=17 proto_state=00 duration=1179952 expire=139 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8
state=log local may_dirty
statistic(bytes/packets/allow_err): org=1415664/19662/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=4->0/0->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.5.21.24:1950->10.5.31.255:8014(0.0.0.0:0)
hook=post dir=reply act=noop 10.5.31.255:8014->10.5.21.24:1950(0.0.0.0:0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=2
serial=00000872 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason:  local
total session 20

Warning:

Make sure to clear all sessions in the firewall when using the 'diagnose sys session clear' command without any filter.

diagnose sys session clear