Description

This article explains how it is possible to use 'filter' with 'diagnose sys session list' command to get the intended result.

Scope

FortiOS 6.0 - onwards.

Solution

diagnose sys session list is one of the most important tools that is extensively used by TAC for troubleshooting purposes.

In order not to get overwhelmed by the information displayed, comes a 'filter' function to help to spot more easily the problem or traffic looked for.

This article explains filter usage and how to get the information to be filled out into the filter.

FGT1 # diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any

• The red 'filter' parameters are single entries, while the rest are multiple.

Most filter parameters stated above differ from the syntax needed to input.

To get accurate information, it is necessary to perform:

diagnose sys session filter ?

vd                                Index of virtual domain. -1 matches all.

vd-name                      Name of virtual domain. -1 or "any" matches all.

sintf                             Source interface.

dintf                             Destination interface.

src                               Source IP address.

nsrc                             NAT'd source ip address

dst                               Destination IP address.

proto                            Protocol number.

sport                            Source port.

nport                            NAT'd source port

dport                            Destination port.

policy                           Policy ID.

expire                          expire

duration                       duration

proto-state                  Protocol state.

session-state1            Session state1.

session-state2            Session state2.

ext-src                         Add a source address to the extended match list.

ext-dst                         Add a destination address to the extended match list.

ext-src-negate             Add a source address to the negated extended match list.

ext-dst-negate             Add a destination address to the negated extended match list.

clear                            Clear session filter.

negate                         Inverse filter.

Note: Some options are only available in later versions:

• The following options are available from 5.4.1 and above.

session-state1    Session state1.

session-state2    Session state2.

• The following options are available from 6.0.4 and above.

ext-src                    Add a source address to the extended match list.

ext-dst                    Add a destination address to the extended match list.

ext-src-negate        Add a source address to the negated extended match list.

ext-dst-negate        Add a destination address to the negated extended match list.

• The following option is available from 6.4.2 and above.
  
  

vd-name                Name of virtual domain. -1 or "any" matches all.

Here is the tip to know how to get the information easily for a particular filter parameter:

1. 'sintf' 'dintf'.

How to get the information:

FGT1 # diagnose netlink interface list | grep index=
--truncated--
if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0
--truncated--

Syntax example:

diagnose sys session filter sintf port1 -> Assign 'port1' as a source interface filter.

2. 'vd' 'vd-name': VDOM ID or VDOM name ('vd-name' despite not stated, but the option is there).

    

   How to get the information:

    

   FGT1 (global) # diagnose sys vd list | grep name=
   --truncated--
   name=branchA/branchA index=3 enabled fib_ver=0 rpdb_ver=0 use=24 rt_num=10 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
   --truncated--

    

   Syntax example:

    

   FGT2 (root) # diagnose sys session filter vd 3 

   
   Or:
   
   

   FGT2 (root) # diagnose sys session filter vd-name branchA
   find VDOM ID: 3

    

    

3. 'proto': protocol.

    

   The most commonly used protocol number:

   
   1 = ICMP.
   6 = TCP.
   17 = UDP.

    

   Syntax example:

    

   FGT2 (root) # diagnose sys session filter proto 1 

    

    

4. 'Policy Id'.

    

    

How to get the information:

FGT2 (root) # get firewall policy
== [ 1 ]
policyid: 1
== [ 2 ]
policyid: 2

Syntax example:

FGT2 (root) # diagnose sys session filter policy 1 2  -> multiple entries: this means that it is referred to id '1' up to '2'.  

How to fix or clear the 'filter' parameter:

1. To clear or reset all parameters to the default:

diagnose sys session filter clear 

2. To reset only a particular parameter:

    

   For IP address parameter type:

    

   diagnose sys session filter src 0.0.0.0

    

   For VDOM:

    

   diagnose sys session filter vd -1

    

   For the rest of parameters:

    

   diagnose sys session filter <parameter> 0 

    

    

3. To fix the wrong filter:

    

   Reapplying the same syntax with a new parameter will overwrite the stated value.

    

    

4. To confirm if the filter is applied:

    

   FGT2 (root) # diagnose sys session filter
   session filter:
   vd: 3
   sintf: 3    -> Interface index shown here: refer to 'diagnose netlink interface list | grep index=' to confirm the interface name.

    

    

Warning: 

To clear only a particular running session, make sure that the 'diagnose sys session filter' shows the particular filter intended to clear.

diagnose sys session clear  -> Clear all the sessions according to the filter applied.

diagnose sys session list-> Show all the sessions according to the filter applied.

• Performing the 'clear' command without any filter applied will clear all the sessions in the firewall - hence resulting in traffic disruption.

Related Documents:

diagnose sys session/session6 list (view offloaded sessions)

Troubleshooting Tip: FortiGate session table infor... - Fortinet Community

Technical Tip: Using filters to clear sessions on a FortiGate