FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cbenejean
Staff
Staff
Article Id 197839
Description
This article explains the information counters related to session that can be displayed with the command diag sys session stat:
# diag sys session stat
misc info: session_count=0 setup_rate=250 exp_count=0 clash=0
        memory_tension_drop=0 ephemeral=0/0 removeable=0 ha_scan=0
delete=0, flush=0, dev_down=0/0

Solution
session_count: Total number of current sessions.

setup_rate: Current number of created sessions per second.

exp_count: Current number of session expectation.

clash: Total number of session clash (cumulative).

Session clash appears when a new session is created but a conflicting similar session (same tuple) already exists.  When session clash happens, the old session will be deleted and replaced by the new one.  The only consequence is that it may cause some re-transmissions.

memory_tension_drop: Number of sessions deleted because the system is running low memory. The oldest sessions will be dropped in this case.  The TCP local session will not be deleted.
ephemeral: Current number of sessions in ephemeral state. An ephemeral session is either:

- TCP session in an establishing phase.
Or
- UDP session with only a single packet received.

The FortiGate has to allocate memory to manage the session. 
These sorts of open sessions are common forms of DoS attacks. 

To reduce impact from these sorts of attacks, the FortiGate categorizes sessions in these states as Ephemeral and sets a limit (based on the model) for how many can exist at once so that memory is not exhausted.
Essentially it is for DoS protection

removeable: Current number of sessions in removeable state.

A session is in removeable state when the total number of sessions reached a certain limit. 
Over this limit every new session created will have the REMOVEABLE flag set. 

When the system is not able to create new sessions (a limit has been reached), the 'removeable' session will be deleted first until a new session can be created.

ha_scan: Number of sessions handled by proxy.

delete: Total number of sessions that have been removed because they have been deleted.

flush: Total number of sessions that have been removed because they have been flushed.

dev_down: Total number of sessions that have been removed because interface went down.

Contributors