Description
This article provides the command to find NAT table details from a FortiGate.
Solution
The following command fetches details of Source NAT and/or Destination NAT information from a FortiGate:
get system session list
For example:
get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
igmp 553 0.0.0.0:0 - 224.0.0.1:0 -
tcp 3595 10.130.0.59:49739 172.31.16.110:49739 54.75.226.147:443 -
udp 176 10.130.0.59:61876 172.31.16.110:61876 172.31.19.1:53 -
igmp 367 172.31.17.104:0 - 224.0.1.140:0 -
udp 176 10.130.0.59:58712 172.31.16.110:58712 172.31.19.1:53 -
tcp 3590 10.130.0.59:49707 172.31.16.110:49707 66.171.121.44:80 -
tcp 119 10.130.0.59:49711 172.31.16.110:49711 66.171.121.44:80 -
tcp 3595 10.130.0.59:49709 172.31.16.110:49709 66.171.121.44:80 -
udp 176 10.130.0.59:60644 172.31.16.110:60644 172.31.19.1:53 -
tcp 3596 10.130.0.59:49744 172.31.16.110:49744 46.137.125.35:80 -
udp 161 10.130.0.59:53528 172.31.16.110:53528 172.31.19.1:53 -
igmp 177 172.31.17.97:0 - 224.0.1.140:0 -
igmp 116 172.31.17.137:0 - 224.0.1.140:0 -
igmp 52 172.31.18.145:0 - 224.0.1.140:0 -
udp 175 10.130.0.59:55294 172.31.16.110:55294 172.31.19.1:53 -
tcp 3596 10.130.0.59:49749 172.31.16.110:49749 216.58.211.100:80 -
tcp 3596 10.130.0.59:49747 172.31.16.110:49747 173.194.45.90:80 -
tcp 3594 10.130.0.59:49731 172.31.16.110:49731 54.230.184.180:80 -
tcp 3598 10.130.0.59:49746 172.31.16.110:49746 173.252.88.66:443 -
tcp 3595 10.130.0.59:49738 172.31.16.110:49738 54.75.226.147:443 -
tcp 3591 10.130.0.59:49737 172.31.16.110:49737 88.221.112.131:80 -
tcp 3597 10.130.0.59:49712 172.31.16.110:49712 66.171.121.44:80 -
tcp 3591 10.130.0.59:49745 172.31.16.110:49745 46.137.125.35:80 -
tcp 3591 10.130.0.59:49743 172.31.16.110:49743 46.137.125.35:80 -
tcp 3592 10.130.0.59:49741 172.31.16.110:49741 46.137.125.35:80 -
tcp 3592 10.130.0.59:49753 172.31.16.110:49753 185.45.5.45:443 -
tcp 3592 10.130.0.59:49750 172.31.16.110:49750 104.155.59.14:80 -
tcp 3591 10.130.0.59:49748 172.31.16.110:49748 216.58.211.100:80 -
tcp 3592 10.130.0.59:49754 172.31.16.110:49754 54.175.214.91:80 -
tcp 3594 10.130.0.59:49759 172.31.16.110:49759 37.252.163.98:80 -
tcp 3589 10.130.0.59:49730 172.31.16.110:49730 173.194.45.63:443 -
To see the NAT entry for a specific IP address, run the following command:
diag sys session filter src <source ip>
diag sys session list
session info: proto=1 proto_state=00 duration=60 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=1080/18/1 reply=1080/18/1 tuples=2
tx speed(Bps/kbps): 17/0 rx speed(Bps/kbps): 17/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.9.15.254/0.0.0.0
hook=post dir=org act=snat X.X.X.X:1->X.X.X.X:8(X.X.X.X:60418)
hook=pre dir=reply act=dnat X.X.X.X:60418->X.X.X.X:0(X.X.X.X:1)
misc=0 policy_id=2 pol_uuid_idx=15751 auth_info=0 chk_client_info=0 vd=0
serial=008e7bd0 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session 17
