Created on
04-23-2023
11:52 PM
Edited on
08-10-2024
05:26 AM
By
Jean-Philippe_P
This article explains how it is possible to use 'filter' with 'diagnose sys session list' command to get the intended result.
FortiOS 6.0 - onwards.
diagnose sys session list is one of the most important tools that is extensively used by TAC for troubleshooting purposes.
In order not to get overwhelmed by the information displayed, comes a 'filter' function to help to spot more easily the problem or traffic looked for.
This article explains filter usage and how to get the information to be filled out into the filter.
FGT1 # diagnose sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: any
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: any
policy id: any
expire: any
duration: any
state1: any
state2: any
Most filter parameters stated above differ from the syntax needed to input.
To get accurate information, it is necessary to perform:
diagnose sys session filter ?
vd Index of virtual domain. -1 matches all.
vd-name Name of virtual domain. -1 or "any" matches all.
sintf Source interface.
dintf Destination interface.
src Source IP address.
nsrc NAT'd source ip address
dst Destination IP address.
proto Protocol number.
sport Source port.
nport NAT'd source port
dport Destination port.
policy Policy ID.
expire expire
duration duration
proto-state Protocol state.
session-state1 Session state1.
session-state2 Session state2.
ext-src Add a source address to the extended match list.
ext-dst Add a destination address to the extended match list.
ext-src-negate Add a source address to the negated extended match list.
ext-dst-negate Add a destination address to the negated extended match list.
clear Clear session filter.
negate Inverse filter.
Note: Some options are only available in later versions:
session-state1 Session state1.
session-state2 Session state2.
ext-src Add a source address to the extended match list.
ext-dst Add a destination address to the extended match list.
ext-src-negate Add a source address to the negated extended match list.
ext-dst-negate Add a destination address to the negated extended match list.
vd-name Name of virtual domain. -1 or "any" matches all.
Here is the tip to know how to get the information easily for a particular filter parameter:
How to get the information:
FGT1 # diagnose netlink interface list | grep index=
--truncated--
if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0
--truncated--
Syntax example:
diagnose sys session filter sintf port1 -> Assign 'port1' as a source interface filter.
'vd' 'vd-name': VDOM ID or VDOM name ('vd-name' despite not stated, but the option is there).
How to get the information:
FGT1 (global) # diagnose sys vd list | grep name=
--truncated--
name=branchA/branchA index=3 enabled fib_ver=0 rpdb_ver=0 use=24 rt_num=10 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
--truncated--
Syntax example:
FGT2 (root) # diagnose sys session filter vd 3
Or:
FGT2 (root) # diagnose sys session filter vd-name branchA
find VDOM ID: 3
'proto': protocol.
The most commonly used protocol number:
1 = ICMP.
6 = TCP.
17 = UDP.
Syntax example:
FGT2 (root) # diagnose sys session filter proto 1
'Policy Id'.
How to get the information:
FGT2 (root) # get firewall policy
== [ 1 ]
policyid: 1
== [ 2 ]
policyid: 2
Syntax example:
FGT2 (root) # diagnose sys session filter policy 1 2 -> multiple entries: this means that it is referred to id '1' up to '2'.
How to fix or clear the 'filter' parameter:
diagnose sys session filter clear
To reset only a particular parameter:
For IP address parameter type:
diagnose sys session filter src 0.0.0.0
For VDOM:
diagnose sys session filter vd -1
For the rest of parameters:
diagnose sys session filter <parameter> 0
To fix the wrong filter:
Reapplying the same syntax with a new parameter will overwrite the stated value.
To confirm if the filter is applied:
FGT2 (root) # diagnose sys session filter
session filter:
vd: 3
sintf: 3 -> Interface index shown here: refer to 'diagnose netlink interface list | grep index=' to confirm the interface name.
Warning:
To clear only a particular running session, make sure that the 'diagnose sys session filter' shows the particular filter intended to clear.
diagnose sys session clear -> Clear all the sessions according to the filter applied.
diagnose sys session list-> Show all the sessions according to the filter applied.
Related Documents:
diagnose sys session/session6 list (view offloaded sessions)
Troubleshooting Tip: FortiGate session table infor... - Fortinet Community
Technical Tip: Using filters to clear sessions on a FortiGate
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.