Technical Tip: Filter session table on states

acozzetti · ‎07-15-2020

Description
This article describes how to filter FortiGate session table on CLI based on session states.

Solution
On '# diagnose sys session filter' CLI command, the options 'session-state1' and 'session-state2' are used to filter sessions based on session states.

The parameters required are:

# diagnose sys session filter <session-state1|session-state2> <state_bits> <state_bits_mask>

state_bits: identify states to be used as filter, such as for example for 'session-state1':

- 00000200: may_dirty
- 04000000: synced
- 00100000: nlb
- 00000004: log
- ...

Press enter on the following CLI commands to display available values for session states to be used as filter:

# diagnose sys session filter session-state1

And

# diagnose sys session filter session-state2

Note: states can be combined together.

state_bits_mask: this mask allows to perform search of sessions that contains only the specified filters (mask: FFFFFFFF) or sessions which include these flags and also others states (mask: 'same as state_bits').

Examples:

1) Filter sessions that have only states: 'may_dirty' 'nlb' 'nosyn_ses':

# diagnose sys session filter clear
# diagnose sys session filter session-state1 00100200 ffffffff
# diagnose sys session filter session-state2 00001000 ffffffff
# diagnose sys session list
session info: slot=0 ori_slot=0 proto=6 proto_state=02 duration=0 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=8/8
state=may_dirty nlb nosyn_ses
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=103->105/105->103 gwy=169.254.0.66/0.0.0.0
hook=pre dir=org act=noop 10.101.10.5:11971->172.168.17.2:514(0.0.0.0:0)
hook=post dir=reply act=noop 172.168.17.2:514->10.101.10.5:11971(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=1
serial=0117979c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 60

2) Filter sessions that has state "log" and any other state:

# diagnose sys session filter clear
# diagnose sys session filter session-state1 00000004 00000004
# diagnose sys session list
session info: slot=0 ori_slot=0 proto=17 proto_state=00 duration=1179952 expire=139 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8
state=log local may_dirty
statistic(bytes/packets/allow_err): org=1415664/19662/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=4->0/0->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.5.21.24:1950->10.5.31.255:8014(0.0.0.0:0)
hook=post dir=reply act=noop 10.5.31.255:8014->10.5.21.24:1950(0.0.0.0:0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=2
serial=00000872 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason: local
total session 20