FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
scheehan_FTNT
Article Id 195802

Description

 
This article provides some information concerning firewall-session-dirty. It provides guidance to help choose the best approach for a given environment.


Solution

 
Firewall-session-dirty is a mechanism to make sure that active sessions always stay relevant. Two distinct behaviors would cause an active session to be validated differently.

Available options:
  • Check-all: Flush all sessions and evaluate them anew. This is the default setting (If the firewall handles a huge number of sessions, flagging all sessions as dirty, and performing a firewall policy lookup for the sessions may result in high CPU utilization).
  • Check-new: Keep existing sessions and check new connections only. This reduces CPU load and the possibility of packet loss.
  • Check-policy-option: Use the option selected in the firewall-session-dirty field of the firewall policy.
(The firewall policy-level setting is available only if the VDOM-level setting is set to check-policy-option).

Policy Level:
 
config firewall policy
    edit <id>
        set firewall-session-dirty < check-all | check-new >
    next
end
 
Note:
The session re-validation would not be triggered by changing the 'firewall-session-dirty' system setting. Only consequent firewall policy changes or route changes for new sessions would trigger the set behavior.

Configuration:
 
config system settings
    set firewall-session-dirty { check-all | check-new | check-policy-option }
end
 
Scenario 1:
With firewall-session-dirty check-all, active sessions would be marked as dirty for further firewall policy validation or route changes.
Note that there may be a CPU penalty if there are more than 2,000 firewall policies. For more information refer to the related KB article.

Validation:
 
diagnose sys session lis
Session detail snippet:
state=may_dirty
Event: [changes applied to firewall policy]
state=dirty may_dirty  <----- Sessions marked 'dirty' for firewall policy validation or route changes.
[continuous traffic cause firewall policy and route re-validation>
state=may_dirty <----- Validation done. 'dirty' marker removed.
 
A firewall policy change event means to modify a parameter related to an active/established session.
For example, changing address object, service object, schedule, ...
 
A route change event could be a new route that has a better preference than the existing route for an active/established session.

Scenario 2:
With firewall-session-dirty check-new, active sessions would be marked as persistent, and no firewall policy validation or route change lookup for existing active sessions would occur.
 
config system settings
    set firewall-session-dirty check-new
end
 
Validation:
 
diagnose sys session lis
Session detail snippet:
state=persistent
 

This setting can restore even a VDOM configuration file without affecting established sessions.

 

Related article:

Technical Note: Firewall policy sequence may cause high CPU during policy add/modify.