FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 191368

Description

 
This article explains how to use filters to clear sessions on a FortiGate unit based on CLI commands:
 
diagnose sys session <arguments>
 

Scope

 

FortiGate.


Solution

 

Clearing sessions matching some common filtering criteria can be done from the CLI in 2 steps:

  1. Set up a session filter.

 

The base command is 'diagnose sys session filter <options>'.

 

To see the options, type:

 

diagnose sys session filter ?

 

vd                         Index of virtual domain. -1 matches all.
vd-name           Name of virtual domain. -1 or "any" matches all.
sintf                    Source interface.
dintf                   Destination interface.
src                      Source IP address.
nsrc                   NAT'd source ip address
dst                                 Destination IP address.
proto                             Protocol number.
sport                             Source port.
nport                            NAT'd source port
dport                            Destination port.
policy                           Policy ID.
expire                           expire
duration                      duration
proto-state                Protocol state.
session-state1        Session state1.
session-state2        Session state2.
ext-src                        Add a source address to the extended match list.
ext-dst                        Add a destination address to the extended match list.
ext-src-negate        Add a source address to the negated extended match list.
ext-dst-negate        Add a destination address to the negated extended match list.
clear                            Clear session filter.
negate                        Inverse filter. To see the current filter settings, type:

 

Notes:

• The following options are only available in FortiOS version 5.4.1 and above.

 

session-state1    Session state1.

session-state2    Session state2.

 

• The following options are only available in FortiOS version 6.0.4 and above.

 

ext-src           <----- Add a source address to the extended match list.

ext-dst           <----- Add a destination address to the extended match list.

ext-src-negate    <----- Add a source address to the negated extended match list.

ext-dst-negate    <----- Add a destination address to the negated extended match list.

 

To see the current filter settings, type:

 

diagnose sys session filter

 

        session filter:

        vd: any

        sintf: any

        dintf: any

        proto: any

        proto-state: any

        source ip: any

        NAT'd source ip: any

        dest ip: any

        source port: any

        NAT'd source port: any

        dest port: any

        policy id: any

        expire: any

        duration: any

        state1: any

        state2: any       

       

Example of filter matching a source IP and a destination port :

 

diagnose sys session filter src 10.160.0.1
diagnose sys session filter dport 80
diagnose sys session filter

 

        session filter:
        vd: any

        sintf: any

        dintf: any

        proto: any

        proto-state: any

        source ip: 10.160.0.1-10.160.0.1

        NAT'd source ip: any

        dest ip: any

        source port: any

        NAT'd source port: any

        dest port: 80-80

        policy id: any

        expire: any

        duration: any

        state1: any

        state2: any

 

Example of filter matching a range of source IPs and a range of destination ports:

 

diagnose sys session filter src 10.160.0.1  10.160.0.10

diagnose sys session filter dport 80  888

diagnose sys session filter

 

       session filter:
        vd: any

        sintf: any

        dintf: any

        proto: any

        proto-state: any

        source ip: 10.160.0.1-10.160.0.10

        NAT'd source ip: any

        dest ip: any

        source port: any

        NAT'd source port: any

        dest port: 80-888

        policy id: any

        expire: any

        duration: any

        state1: any

        state2: any

 

Example of filter matching a source IP without filtering any port:

 

diagnose sys session filter src 10.160.0.1

diagnose sys session filter

 

       session filter:
        vd: any

        sintf: any

        dintf: any

        proto: any

        proto-state: any

        source ip: 10.160.0.1-10.160.0.10

        NAT'd source ip: any

        dest ip: any

        source port: any

        NAT'd source port: any

        dest port: any

        policy id: any

        expire: any

        duration: any

        state1: any

        state2: any

 

Example of filter matching a destination IP without filtering any port:

 

diagnose sys session filter dst 10.160.0.1

diagnose sys session filter

 

       session filter:
        vd: any

        sintf: any

        dintf: any

        proto: any

        proto-state: any

        source ip: any

        NAT'd source ip: any

        dest ip: 10.160.0.1-10.160.0.1

        source port: any

        NAT'd source port: any

        dest port: any

        policy id: any

        expire: any

        duration: any

        state1: any

        state2: any

 

 

Example of session list output:

 

       diagnose sys session list

 

 

   session list

 

       session info: proto=6 proto_state=01 duration=536 expire=3596 timeout=3600 refresh_dir=both flags=00000000           socktype=0 sockport=0 av_idx=0 use=3

       origin-shaper=

       reply-shaper=

       per_ip_shaper=

       class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

       state=log local

       statistic(bytes/packets/allow_err): org=12719/77/1 reply=29093/41/1 tuples=2

       tx speed(Bps/kbps): 23/0 rx speed(Bps/kbps): 87/0

       orgin->sink: org out->post, reply pre->in dev=18->22/22->18 gwy=0.0.0.0/10.109.49.31

       hook=out dir=org act=noop 10.109.49.31:5627->96.45.46.46:853(0.0.0.0:0)

       hook=in dir=reply act=noop 96.45.46.46:853->10.109.49.31:5627(0.0.0.0:0)

       pos/(before,after) 0/(0,0), 0/(0,0)

       misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0

       serial=012c0e1d tos=ff/ff app_list=0 app=0 url_cat=0

       rpdb_link_id=00000000 ngfwid=n/a

       npu_state=00000000

       no_ofld_reason: local

 

 

  • Clear the session(s) matching the filter defined previously with the command:

     

    diagnose sys session clear

     

Warning:

Using the 'diagnose sys session clear' command without any filter will clear all sessions currently opened on the FortiGate.

Note:

To see the session list, use the following command. The output will also be based on the filter defined previously:


diagnose sys session list

 

Related article:

Troubleshooting Tip: FortiGate session table information.