Description
This article describes how session helpers set up expectation sessions.. Session helpers in FortiOS provide basic Application Layer Gateway functionality.
Scope
FortiGate.
Solution
Session helpers keep track of the communication of the Layer-7 protocols, such as FTP, and will dynamically open up the ports as required for the communication.
The record of these dynamic ports is kept by the session helpers in the form of expectation sessions.
Expectation session is a pseudo-session that is created by the session helper for the ports negotiated by the upper layer protocols.
The expectation session usually has a timeout value of 30 seconds.
Hence, if the communication from the server is not initiated within 30 seconds the expectation session will time out and the traffic will be denied.
The following debug commands can be executed to verify that the session helper is opening up the ports as required.
Determining whether sessions helpers are being used.
Debug flow trace can show if the session helper is running for the particular traffic or not.
id=13 trace_id=1098 msg="vd-root received a packet(proto=6, 10.1.1.2:53541->93.157.14.94:21) from internal1.flag
id=13 trace_id=1098 msg="Find an existing session, id-008423f4, original direction"
id=13 trace_id=1098 msg="SNAT 10.1.1.2->172.17.97.24:53541"
id=13 trace_id=1098 msg="run helper-ftp(dir=original)"
The pin-hole ports that the session helper opened can be verified using the following command to list the expectation session:
FGT_A # diagnose sys session list expectation
session info: proto=6 proto_state=00 duration=6 expire=23 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=1 tunnel=/
state=new npu acct-ext complex
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=5->7/7->5 gwy=10.1.1.2/172.17.97.3
hook=pre dir=org act=dnat 93.157.14.94:0->172.17.97.24:60456(10.1.1.2:53584)
hook=pre dir=org act=noop 0.0.0.0:0->0.0.0.0:0(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=25 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=008423f4 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
per_ip_bandwidth meter: addr=10.1.1.2, bps=223
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0/0
'policy_id=25'
Even though the policy ID is 25 in the example it does not mean that the traffic matches policy 25. The value 'policy_id=25' in the expect session is just a copied value from the master session, which is the oldest helper-ftp session. Once an expect session is created, it acts as a pinhole on the firewall policy. Traffic matching the expected session does not need to match or be allowed by the firewall policy to be forwarded by the system. If the master session is cleared, all its expect sessions are cleared as well. To establish the connection, a new helper-FTP session needs to be established.
The new session must match a firewall policy, and hence all of the expect sessions will copy this new policy_id. The value of the policy_id in the expect session, whether it is 25 or another value, does not impact how the corresponding traffic is forwarded. The initial session (dce-rpc or icmp or other protocols) must match a forwarding policy, and its policy_id value indicates the policy it matches. However, if the traffic hits an expect session, it does not mean that the traffic matches the firewall policy. The traffic hitting an expect session does not need a corresponding firewall policy, which is what session helpers are used for.
If it is preferred that the firewall policy controls all the traffic between the source and destination hosts, including the traffic matching the 'master session' and 'expect session', then the corresponding helper should be deleted and the service should be appropriately configured in the corresponding firewall policy. This is not a workaround because expectation sessions are not designed to be controlled by firewall policies.
