Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gessakkiappan
Staff
Staff

Created on ‎03-07-2021 11:21 AM Edited on ‎10-03-2025 11:55 PM By Community Manager

Article Id 196925

Technical Tip: Multiple sessions are assigned with same session ID

Description


Forward traffic logs and Session output show the same session ID on multiple sessions.This article describes this feature.

 

Scope

 

FortiGate.

Solution
Multiple sessions on the Firewall session output and Forward traffic logs display the same session ID.

When the session is created using the Session helper, the child sessions will have the same session ID that was assigned to the parent session.

For example:

If the Session helper is configured for the FTP protocol, all data channels will have the same session ID as the control channel session.

Below is the Example of an RPC session and its child sessions

RPC parent session:

 

session info: proto=6 proto_state=05 duration=402147 expire=4 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=9
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ helper=dcerpc vlan_cos=0/255          <----- RPC Helper enabled for the session.
state=log dirty may_dirty f00
statistic(bytes/packets/allow_err): org=620/7/1 reply=452/4/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.59.1.251:65465->172.29.3.112:135(0.0.0.0:0)
hook=post dir=reply act=noop 172.29.3.112:135->10.59.1.251:65465(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0                                   <----- Policy ID that allows the traffic.
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0                                     <----- 00678c12 is the session ID.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0

 

Child sessions (allowed by Session Helper triggered on the above session):

 

session info: proto=6 proto_state=01 duration=29546 expire=3575 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ vlan_cos=255/255
state=log intree  <----- 'intree' flag means child session.
statistic(bytes/packets/allow_err): org=16290/158/1 reply=56899/189/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 2/0
orgin->sink: org pre->post, reply pre->post dev=32->35/35->32 gwy=172.29.3.112/10.59.1.251
hook=post dir=org act=noop 10.59.1.251:63393->172.29.3.112:63807(0.0.0.0:0)              <----- Same source/destination but different. ports.
hook=pre dir=reply act=noop 172.29.3.112:63807->10.59.1.251:63393(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0                                   <----- Same Policy ID as parent.
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0                                     <----- Same session ID as parent.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0

session info: proto=6 proto_state=01 duration=25 expire=3584 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ vlan_cos=255/255
state=log intree<----- Another Child session.
statistic(bytes/packets/allow_err): org=137880/1427/1 reply=3690440/2666/1 tuples=2
tx speed(Bps/kbps): 5369/42 rx speed(Bps/kbps): 143708/1149
orgin->sink: org pre->post, reply pre->post dev=32->35/35->32 gwy=172.29.3.112/10.59.1.251
hook=post dir=org act=noop 10.59.1.251:53891->172.29.3.112:49156(0.0.0.0:0)              <----- Different ports.
hook=pre dir=reply act=noop 172.29.3.112:49156->10.59.1.251:53891(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0                                   <----- Same Policy ID as parent.
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0                                     <----- Same session ID as parent.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0

 

SIP parent session:

 

session info: proto=17 proto_state=01 duration=2304517 expire=3599 timeout=130 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=21
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/20.20.20.2 helper=sip vlan_cos=0/255      <----- SIP Helper enabled for the session.
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=34200720/44806/1 reply=31805966/82337/1 tuples=2
tx speed(Bps/kbps): 14/0 rx speed(Bps/kbps): 13/0
orgin->sink: org pre->post, reply pre->post dev=123->26/26->123 gwy=172.16.2.2/20.20.20.2
hook=pre dir=org act=noop 172.17.204.100:5060->192.168.2.2:5060(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.2.2:5060->172.17.204.100:5060(0.0.0.0:0)
dst_mac=00:09:0f:09:00:13
misc=0 policy_id=69 pol_uuid_idx=2437 auth_info=0 chk_client_info=0 vd=0                          <----- Policy ID that allows the traffic.
serial=01d95497 tos=ff/ff app_list=0 app=0 url_cat=0                                              <----- 01d95497 is the session ID.
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x2140101 no_offload
npu info: flag=0x00/0x82, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0, ha_divert=0/0
no_ofld_reason: disabled-by-policy helper

 

Child session (allowed by Session Helper triggered on the above session):

 

session info: proto=17 proto_state=01 duration=1680 expire=3588 timeout=130 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/170.79.100.35 helper=sip vlan_cos=255/255
state=log npu intree                                                                           <----- 'intree' flag.
statistic(bytes/packets/allow_err): org=14905/51/1 reply=13473/34/1 tuples=2
tx speed(Bps/kbps): 14/0 rx speed(Bps/kbps): 13/0
orgin->sink: org pre->post, reply pre->post dev=117->26/26->117 gwy=172.16.2.2/170.79.100.35
hook=post dir=org act=noop 10.10.204.10:5060->192.168.2.2:5060(0.0.0.0:0)                      <----- Same destination but different. source.
hook=pre dir=reply act=noop 192.168.2.2:5060->10.10.204.10:5060(0.0.0.0:0)
dst_mac=00:09:0f:09:00:13
misc=0 policy_id=69 pol_uuid_idx=2437 auth_info=0 chk_client_info=0 vd=0                       <----- Same Policy ID as parent.
serial=01d95497 tos=ff/ff app_list=0 app=0 url_cat=0 <----- Same session ID as parent.
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000101 no_offload
npu info: flag=0x00/0x82, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0, ha_divert=0/0
no_ofld_reason: disabled-by-policy
total session: 1

 

This is an expected behavior.

4821
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.