Technical Tip: How to clear sessions with high duration

smaruvala · ‎05-01-2025

Description

This article describes how an Administrator can clear the sessions in FortiGate which have been active for a very long time.

Scope

FortiGate.

Solution

In some cases, the Administrator may have to clear sessions that have been active in the FortiGate for a very long time. In some other instances, the Administrator may wish to check the number of active sessions that have a long duration for troubleshooting purposes.
Using FortiGate's session filter, the Administrator can perform this action.
FortiGate has a 'duration' filter in its session filter command. This will help to create a filter to list sessions that are active for a longer duration. Below is an example of the same in which a range of duration is given as 1000 seconds to 1000000000.

kvm126 # diagnose sys session filter duration 1000 1000000000

kvm126 # diagnose sys session list

session info: proto=17 proto_state=00 duration=333060 expire=177 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=local may_dirty
statistic(bytes/packets/allow_err): org=399744/5552/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=3->0/14->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.5.147.14:18371->10.5.191.255:8014(0.0.0.0:0)
hook=post dir=reply act=noop 10.5.191.255:8014->10.5.147.14:18371(0.0.0.0:0)
misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=000000db tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

session info: proto=17 proto_state=00 duration=333045 expire=179 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=22430654/68278/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 75/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->in, reply out->in dev=14->14/0->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 127.0.0.1:24408->127.0.0.1:12121(0.0.0.0:0)
hook=in dir=reply act=noop 127.0.0.1:12121->127.0.0.1:24408(0.0.0.0:0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=00000188 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

session info: proto=6 proto_state=11 duration=144280 expire=3549 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty ndr app_valid
statistic(bytes/packets/allow_err): org=42594/722/1 reply=53497/622/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.5.191.254/0.0.0.0
hook=post dir=org act=snat 10.173.18.198:49691->20.199.120.151:443(10.5.146.190:49691)
hook=pre dir=reply act=dnat 20.199.120.151:443->10.5.146.190:49691(10.173.18.198:49691)
hook=post dir=reply act=noop 20.199.120.151:443->10.173.18.198:49691(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:63:68:61:86:01
misc=0 policy_id=1 pol_uuid_idx=15745 auth_info=0 chk_client_info=0 vd=0
serial=0026f40a tos=ff/ff app_list=0 app=15895 url_cat=0
rpdb_link_id=00000000 ngfwid=1
npu_state=0x001108
no_ofld_reason: redir-to-ips denied-by-nturbo
total session 3

Once the sessions are listed in the FortiGate, they can be cleared with the command 'diagnose sys session clear'.

kvm126 # diagnose sys session clear

kvm126 # diagnose sys session list
total session 0

Overall session stats on FortiGate seen by the command:

diagnose sys session stat

Technical Tip: How to clear sessions with high duration

You are leaving our website