Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cskuan
Staff
Staff

Created on ‎09-26-2019 12:42 AM Edited on ‎01-20-2026 11:58 PM By Community Manager

Article Id 195478

Technical Tip: How to enable denied session to be added into the session table

Description


This article describes how to enable denied sessions to be added into the session table to reduce the CPU processing due to denied sessions from the same source/destination ip address, port, and protocol.

 

Scope

 

FortiGate.

Solution


Below are the commands to enable a denied session to be added to the session table:

 

config system settings
    set ses-denied-traffic enable
end

 

For optimum performance, adjust the global block-session-timer (this is in seconds).

 

config system global
    set block-session-timer <1-300>  (default = <30 seconds>) 
end

 

Blocking the packets of a denied session can take more CPU processing resources than passing the traffic through. 

  • When 'ses-denied-traffic' is 'enabled', FortiGate keeps the session for 'block-session-timer' time.
  • When the block session is created, proceeding traffic matching the session will reset the expiry timer. By putting denied sessions in the session table, they can keep track the same way that allowed sessions are, so that the FortiGate unit does not have to reassess whether or not to deny each of the packets on an individual basis.

 

If the session is denied, all packets of that session are also rejected.

 

To view the blocked session, use the following commands to list all sessions.  The sessions cannot be filtered by state or by implicit policy ID, as the implicit policy uses ID 0.

 

diagnose sys session filter clear

diagnose sys session list

 

It is recommended to run the session output in a terminal emulator such as PuTTY or SecureCRT, since the output can be extensive.

 

This is an example of a session showing denied traffic, blocked by the implicit deny policy (ID=0) with the state 'block'.

 

session info: proto=1 proto_state=00 duration=3 expire=296 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=block may_dirty f15
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=7->3/3->7 gwy=10.9.15.254/0.0.0.0
hook=pre dir=org act=noop 172.16.22.2:1->8.8.8.8:8(0.0.0.0:0)
hook=post dir=reply act=noop 8.8.8.8:1->172.16.22.2:0(0.0.0.0:0)
misc=0 policy_id=0 pol_uuid_idx=1 auth_info=0 chk_client_info=0 vd=0
serial=0000184d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: block-by-policy


Note:

The ses-denied-traffic and block-session-timer are not effective at blocking denial-of-service attacks. In case of detecting non-legitimate traffic from sessions with policy id=0, use ACLs to block them. 


Example:


config firewall acl
    edit <id>
        set interface <interface-name>
        set srcaddr <IP_ADDRESS_SRC>
        set dstaddr <IP_ADDRESS_DST>
        set service <Service>
    next
end

 

Note:

Be aware that for the NGFW Policy-based mode, the default option is only check-all. 

However, even when firewall-session-dirty is available under system settings, the NGFW policy-based does not re-evaluate blocked sessions. This is by desing and they will remain on the table by default for 30 seconds:

 

FGVM-TAC (root) # show full-configuration system settings | grep dirty
set firewall-session-dirty check-all

FGVM-TAC(global) # show full-configuration | grep block
set block-session-timer 30

 

For example, ICMP traffic is blocked by the NGFW security policy, and a session is added to the session table:


session info: proto=1 proto_state=00 duration=20 expire=28 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty nb ndr
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=9->3/3->9 gwy=192.168.170.1/0.0.0.0
hook=post dir=org act=snat 192.168.12.100:1->8.8.8.8:8(192.168.170.235:5118)
hook=pre dir=reply act=dnat 8.8.8.8:5118->192.168.170.235:0(192.168.12.100:1)
hook=post dir=reply act=noop 8.8.8.8:1->192.168.12.100:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=15855 auth_info=0 chk_client_info=0 vd=0
serial=000032b9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=0  < ---
npu_state=0x001108
no_ofld_reason: block-by-ips redir-to-ips denied-by-nturbo
total session: 1

 

Above traffic is blocked because the security policy is disabled, and it is hitting the implicit security-policy ID 0:

 

config firewall security-policy
    edit 2
        set uuid 8a93df0c-cfb1-51f0-1acf-ef0405904e89
        set name "Internet_users"
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set enforce-default-app-port disable
        set service "ALL"  <---
        set action accept
        set schedule "always"
        set status disable <---
        set logtraffic all
    next
end

 

After security-policy 2 is enabled (configuration changed), traffic is still blocked because the session is not getting re-evaluated:

 

FGVM-TAC (security-policy) # edit 2

FGVM-TAC (2) # set status enable

FGVM-TAC (2) # end

 

session info: proto=1 proto_state=00 duration=67 expire=29 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty nb ndr
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=9->3/3->9 gwy=192.168.170.1/0.0.0.0
hook=post dir=org act=snat 192.168.12.100:1->8.8.8.8:8(192.168.170.235:5118)
hook=pre dir=reply act=dnat 8.8.8.8:5118->192.168.170.235:0(192.168.12.100:1)
hook=post dir=reply act=noop 8.8.8.8:1->192.168.12.100:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=15855 auth_info=0 chk_client_info=0 vd=0
serial=000032b9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=0  <---
npu_state=0x001108
no_ofld_reason: block-by-ips redir-to-ips denied-by-nturbo
total session: 1

 

It is necessary to clear the blocked session or wait for the block-session-timer to expire, and then traffic is allowed by security-policy 2:

 

session info: proto=1 proto_state=00 duration=322 expire=5 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty nb ndr
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=9->3/3->9 gwy=192.168.170.1/0.0.0.0
hook=post dir=org act=snat 192.168.12.100:1->8.8.8.8:8(192.168.170.235:5118)
hook=pre dir=reply act=dnat 8.8.8.8:5118->192.168.170.235:0(192.168.12.100:1)
hook=post dir=reply act=noop 8.8.8.8:1->192.168.12.100:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=15855 auth_info=0 chk_client_info=0 vd=0
serial=000032b9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=0
npu_state=0x001108
no_ofld_reason: block-by-ips redir-to-ips denied-by-nturbo
total session: 1


FGVM-TAC (root) # diagnose sys session list
total session: 0

session info: proto=1 proto_state=00 duration=4 expire=59 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr app_valid
statistic(bytes/packets/allow_err): org=300/5/1 reply=300/5/1 tuples=3
tx speed(Bps/kbps): 66/0 rx speed(Bps/kbps): 66/0
orgin->sink: org pre->post, reply pre->post dev=9->3/3->9 gwy=192.168.170.1/0.0.0.0
hook=post dir=org act=snat 192.168.12.100:1->8.8.8.8:8(192.168.170.235:5118)
hook=pre dir=reply act=dnat 8.8.8.8:5118->192.168.170.235:0(192.168.12.100:1)
hook=post dir=reply act=noop 8.8.8.8:1->192.168.12.100:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=15855 auth_info=0 chk_client_info=0 vd=0
serial=0000343a tos=ff/ff app_list=0 app=24466 url_cat=0
rpdb_link_id=00000000 ngfwid=2  < ---
npu_state=0x001108
no_ofld_reason: redir-to-ips denied-by-nturbo
total session: 1


Related articles:
Technical Tip: Blocking TCP Ports using ACL on FortiGate
Technical Tip: Information about firewall-session-dirty 

32237
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.