FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cskuan
Staff
Staff

Description
This article explains the meaning of for the counter fields in ‘diagnose sys session full-stat’ output.

Solution
Below is the output of ‘diagnose test application ipsmonitor 14’ debug commands output:

# diag sys session full-stat
session table:           table_size=262144 max_depth=1 used=24
misc info:       session_count=12 setup_rate=0 exp_count=0 clash=0
        memory_tension_drop=0 ephemeral=0/131062 removeable=0
delete=0, flush=0, dev_down=0/0 ses_flush_filters=0
flush_work_num=0
TCP sessions:
         3 in ESTABLISHED state
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000000
fqdn6_count=00000000
……………

'removeable': counts the number of existing firewall sessions that are candidates for deletion/removal in the event that a new session needs to be created and there is no memory left to create the new session unless an existing session is deleted first.

'delete': counts the number of firewall sessions that were deleted either by user action or because some feature required a specific session to be deleted to avoid an anomaly occurring. Some examples of this are :-
- If the admin uses the GUI to delete a specific session.
- If an IPS rule matches the session has 'set action reset'.
- When a SIP ALG session is deleted, because the call has ended, then if the call was made over UDP the SIP ALG deletes the corresponding kernel session to avoid the kernel session accidentally being re-used for a different SIP call.

'flush': counts the number of times a request was made to flush firewall sessions matching a specific criteria either by user action or because some feature required those sessions to be deleted in order to avoid an anomaly occurring.
The reason this is separate from delete is that a request to remove a specific session is much more efficient to implement than a request to delete all sessions matching a specific criteria and so it is useful to know how many times the more expensive flush was done.

'dev_down': counts the number of times a request was made to delete all firewall sessions related to an IPsec interface which has been taken administratively down.

'tt': is always 0 from FOS 3.00 onwards. Back in FOS 2.80 it counted the number of times that traffic triggered an IKE negotiation.

'cont': counts the number of packets that were sent to IPS, given a pass and now continue (hence the name) on for processing by a proxy (historically one that was performing AV). The count is displayed in hexadecimal.

'ids_recv': counts the number of packets that are sent to IPS for processing. Note that if the model supports nTurbo and it is enabled then packets delivered to IPS via nTurbo path are not counted here. The count is displayed in hexadecimal.

'ids_recv': is always 0 from FOS 3.00 onwards. Back in FOS 2.80 it counted the number of URL rating requests sent by the kernel to the urlfilter process.

'av_recv': counts the number of packets that are sent to one or more proxies for processing. Historically this meant the proxy that performed AV (hence the av in the name) but since FOS 3.00 it has also counted other cases where traffic is proxied such as the SIP ALG. The count is displayed in hexadecimal.

'fqdn_count': counts the number of FQDN entries that currently exist in the kernel corresponding to the FQDNs defined in config firewall address, config firewall address6 and config firewall service. The count is displayed in hexadecimal.

Contributors