FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
heng
Staff
Staff
Article Id 372580
Description This article describes how to correlate the firewall session table's session ID with the Forward Traffic Log in the GUI in particular when troubleshooting the session table with the forward traffic log.
Scope FortiGate.
Solution
  1. The firewall admin identified the firewall session ID as serial=0002f4bb from the session table via CLI. And, the firewall admin wishes to correlate this session ID in the Forward Traffic Log via GUI. However, the firewall admin found it difficult to locate the same serial=0002f4bb which displayed as Hexadecimal value in the Forward Traffic Log. See Steps (2) on how to correlate. 

 

session info: proto=1 proto_state=00 duration=31 expire=32 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty f00
statistic(bytes/packets/allow_err): org=420/5/1 reply=420/5/1 tuples=2
tx speed(Bps/kbps): 13/0 rx speed(Bps/kbps): 13/0
orgin->sink: org pre->post, reply pre->post dev=4->27/27->4 gwy=172.18.18.1/0.0.0.0
hook=pre dir=org act=noop 10.0.0.1:11->9.9.9.9:8(0.0.0.0:0)
hook=post dir=reply act=noop 9.9.9.9:11->10.0.0.1:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=16033 auth_info=0 chk_client_info=0 vd=0:11
serial=0002f4bb tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

 

  1. Copy the decimal value as serial=0002f4bb and convert the Hexadecimal value to the Decimal value using any HEX-to-Dec online converter tool. Example as follows which converted via https://www.rapidtables.com/.

     

    The equivalent decimal value will be decimal=193723.

    image.png

     

     

  2. Go to the FortiGate GUI's Forward Traffic log section, add a Session ID column, and filter with the converted value of decimal=193723 to search for the corresponding log.

     

    image.png

     

  3. Similarly, the session ID can be located the same in the raw log by searching the log field of sessionid.

     

    date=2025-01-25 time=22:47:01 eventtime=1737874021748286412 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.0.1 identifier=11 srcintf="port2" srcintfrole="undefined" dstip=9.9.9.9 dstintf="outbound0" dstintfrole="undefined" srccountry="Reserved" dstcountry="Switzerland" sessionid=193723 proto=1 vrf=11 action="accept" policyid=1 policytype="policy" poluuid="fb6aa376-d3d8-51ef-79e6-d59e95760d82" policyname="upf-1" service="PING" trandisp="noop" appcat="unscanned" duration=64 sentbyte=420 rcvdbyte=420 sentpkt=5 rcvdpkt=5

     

  4. In summary, serial and sessionid refer to the same thing for the firewall session id.

 

Related article:

Troubleshooting Tip: FortiGate session table information