Description
This article describes how to check hardware session statistics for each hyperscale firewall VDOM on a FortiGate configured with log2host.
Scope
FortiOS 7.6.0 or later with hyperscale VDOMs configured.
Solution
On a hyperscale FortiGate, the ‘diagnose sys npu-session stat’ command normally provides only system-wide hardware session statistics.
FGT (global) # diagnose system npu-session stat
HW session cnt = 999750, setup rate = 0 (v4:0)
HW log(ps) rate = 0, log(pm) rate = 0
If hardware session statistics for a specific hyperscale firewall VDOM or a specific firewall policy are required on a system with multiple hyperscale firewall VDOMs, follow the steps below.
- Identify the VDOM ID of the hyperscale firewall VDOM.
FGT (vdom) # edit test-hw3
current vf=test-hw3:498 <----- 498 is the VDOM ID.
- Check hardware session statistics for the specified hyperscale firewall VDOM using the ‘diagnose npu np7 vdom-session-stats <VDOM ID>’ command.
FGT (global) # diagnose npu np7 vdom-session-stats 498
HW session stats for vdom 498, policy -1:
CCS: FWD 409962, REV 0
CPS: FWD 0, REV 0
The meaning of each field is as follows.
- CCS: Concurrent sessions.
- CPS: Connection per second.
- FWD: Number of standard hardware firewall sessions.
- REV: Number of hardware firewall sessions created by Endpoint Independent Filtering (cgn-eif).
- If statistics for a specific firewall policy are required, add the policy ID option.
FGT (global) # diagnose npu np7 vdom-session-stats 498 38 <----- Policy ID 38 in VDOM ID 498.
HW session stats for vdom 498, policy 38:
CCS: FWD 65532, REV 0
CPS: FWD 0, REV 0
Special note:
This method can be used only when the log-processor setting is configured as 'host'.
FGT (global) # config log npu-server
FGT (npu-server) # show | grep log-processor
set log-processor host
If the ‘log-processor hardware’ setting is used, the following error is displayed and this method cannot be used.
FGT (global) # diagnose npu np7 vdom-session-stats
The command is only available for log2host case!
