|
FortiOS establishes sessions for any traffic based on a 5-tuple(source IP, Destination IP, Source Port, Destination Port, Protocol).
After a session is established for any flow, and if there is an ICMP control plane message related to the session, FortiGate decides to allow or drop the message based on the allow_err flag in the session table.
Below is an example session:
session info: proto=1 proto_state=00 duration=259 expire=56 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty f00 f02
statistic(bytes/packets/allow_err:( org=4284/51/0 reply=0/0/0 tuples=2 <<
tx speed(Bps/kbps): 16/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=38->41/41->38 gwy=10.160.254.9/10.0.0.3
hook=pre dir=org act=noop 172.20.61.40:2019->10.169.150.3:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.169.150.3:2019->172.20.61.40:0(0.0.0.0:0)
src_mac=70:4c:a5:23:4e:18 dst_mac=90:6c:ac:b7:fc:e8
misc=0 policy_id=3844 pol_uuid_idx=18627 auth_info=0 chk_client_info=0 vd=3
serial=0000019d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000101 no_offload
no_ofld_reason: disabled-by-policy
total session 1
As highlighted in the above session, allow_err in statistics is related to icmp control plane message for this particular session.
For a session, FortiOS has an allow_error flag for each direction to determine if an ICMP error message will be allowed/dropped.
For example, for a session from client to server, the original direction allow_error flag will be set once if there is a packet from client to server. In this case, if there is an ICMP error from the server side, it will be allowed, and at the same time, allow_error will be cleared. Any further ICMP errors from the server side will be dropped. If there is a new packet from the client side, allow_error will be set again, and a new ICMP error from the server will be allowed.
|
