Description
This article describes the meaning of the counter fields in the 'diagnose system session full-stat' output.
Scope
FortiGate.
Solution
Below is the output of the 'diagnose system session full-stat' debug commands output:
diagnose system session full-stat
session table: table_size=262144 max_depth=1 used=24
misc info: session_count=12 setup_rate=0 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/131062 removeable=0
delete=0, flush=0, dev_down=0/0 ses_flush_filters=0
flush_work_num=0
TCP sessions:
3 in ESTABLISHED state
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000000
fqdn6_count=00000000
……………
'ephemeral': Current number of sessions in ephemeral state. An ephemeral session is either a TCP session in an establishing phase or a UDP session with only a single packet received, not bidirectional.
Since FortiGate has to allocate memory to manage the session. These sorts of open sessions are common forms of DoS attacks.
In order to avoid the common attacks, the FortiGate categorizes sessions in these states as Ephemeral and sets a limit (based on the model) for how many sessions can exist at once so that memory is not exhausted. Essentially, it is for DoS protection.
'memory_tension_drop': Number of sessions deleted because the system is running low on memory. The oldest sessions will be dropped in this case. The TCP local session will not be deleted.
'removable': counts the number of existing firewall sessions that are candidates for deletion/removal if a new session needs to be created and there is no memory left to create the new session, unless an existing session is deleted first.
'delete': counts the number of firewall sessions that were deleted either by user action or because some feature required a specific session to be deleted to avoid an anomaly occurring. Some examples of this are:
- If the admin uses the GUI to delete a specific session.
- If an IPS rule matches, the session has 'set action reset'.
- When an SIP ALG session is deleted, because the call has ended, then if the call was made over UDP, the SIP ALG deletes the corresponding kernel session to avoid the kernel session accidentally being reused for a different SIP call.
'flush': counts the number of times a request was made to flush firewall sessions matching specific criteria, either by user action or because some feature required those sessions to be deleted in order to avoid an anomaly occurring.
The reason this is separate from delete is that a request to remove a specific session is much more efficient to implement than a request to delete all sessions matching a specific criteria and so it is useful to know how many times the more expensive flush was done.
'dev_down': counts the number of times a request was made to delete all firewall sessions related to an IPsec interface that has been taken administratively down.
'tt': is always 0 from FortiOS 3.00 onwards. Back in FortiOS 2.80, it counted the number of times that traffic triggered an IKE negotiation.
'cont': counts the number of packets that were sent to IPS, given a pass, and now continue (hence the name) on for processing by a proxy (historically one that was performing AV). The count is displayed in hexadecimal.
'ids_recv' (FortiOS v6.4 and older) or 'ips_recv' (FortiOS v7.0 and later): counts the number of packets that are sent to IPS for processing. Note that if the model supports nTurbo and it is enabled, then packets delivered to IPS via the nTurbo path are not counted here. The count is displayed in hexadecimal.
'ids_recv': is always 0 from FortiOS v3.00 onwards. Back in FortiOS v2.80, it counted the number of URL rating requests sent by the kernel to the urlfilter process.
'av_recv': counts the number of packets that are sent to one or more proxies for processing. Historically, this meant the proxy that performed AV (hence the antivirus in the name), but since FortiOS v3.00, it has also counted other cases where traffic is proxied, such as the SIP ALG. The count is displayed in hexadecimal.
'fqdn_count': counts the number of FQDN entries that currently exist in the kernel corresponding to the FQDNs defined in config firewall address, config firewall address6, and config firewall service. The count is displayed in hexadecimal.
'error1': Indicates there was a mismatch between the encryption state of the packet received and the session the packet belongs to. Either the packet was plain text when the session says it should have been decrypted (such as during a spoof), or the packet was decrypted properly, but the session has no associated IPsec tunnel.
'error2': Counts the number of times that on egress the chosen interface does not match the expected interface as cached in the session, and thus the packet is dropped, and the session is deleted. Mostly related to cases where this can happen is with policy-based IPsec.
'error3': When an expectation is created to open a pinhole in the firewall, the expectation is linked to the session whose traffic was being processed, which resulted in the creation of the expectation. The number of expectation sessions that can simultaneously be connected to a parent session is capped. The error3 count is incremented each time the cap is reached.
