Description
This article provides an explanation of various fields of the FortiGate session table.
Scope
Any supported version of FortiGate.
Solution
To display the session table:
diagnose sys session list
To set up a session filter:
diagnose sys session filter <options>
clear clear session filter
dport dest port
dst dest ip address
duration duration
expire expire
negate inverse filter
policy policy id
proto protocol number
sport source port
src source ip address
vd index of virtual domain. -1 matches all
Starting with FortiOS versions 7.2.x and above, more filters will be visible:
di sys session filter ? <- Use '?' after 'filter' in this command to list all filter options.
vd Index of virtual domain. -1 matches all.
vd-name Name of virtual domain. -1 or "any" matches all.
sintf Source interface.
dintf Destination interface.
src Source IP address.
nsrc NAT'd source ip address
dst Destination IP address.
proto Protocol number.
sport Source port.
nport NAT'd source port
dport Destination port.
policy Policy ID.
expire expire
duration duration
proto-state Protocol state.
session-state1 Session state1.
session-state2 Session state2.
ext-src Add a source address to the extended match list.
ext-dst Add a destination address to the extended match list.
ext-src-negate Add a source address to the negated extended match list.
ext-dst-negate Add a destination address to the negated extended match list.
clear Clear session filter.
negate Inverse filter.
To clear filtered sessions (or all sessions, if no session filter is set):
diagnose sys session clear
After we clear the session then you can clear the session filter as well so that next time you do not see the older filter sessions:
It is also a good practice to use this command before using any session filter.
di sys session filter clear
Example of session table entry:
session info: proto=6 proto_state=01 duration=142250 expire=3596 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=255/255
state=local
statistic(bytes/packets/allow_err): org=9376719/61304/1 reply=3930213/32743/1 tuples=2
tx speed(Bps/kbps): 65/0 rx speed(Bps/kbps): 27/0
orgin->sink: org out->post, reply pre->in dev=13->0/0->13 gwy=0.0.0.0/10.5.27.238
hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(0.0.0.0:0)
hook=in dir=reply act=noop 173.243.132.165:514->10.5.27.238:16844(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0161f3cf tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
proto: protocol number
proto_state: state of the session (depending on protocol)
- ICMP (proto 1).
Note: There are no states for ICMP. It always shows proto_state=00.
- TCP (proto 6).
Note: proto_state is a 2-digit number because the FortiGate is a stateful firewall (keeps track of both directions of the session); proto_state=OR means the Original direction and the Reply direction.
|
State
|
Value
|
Expire Timer (default)
|
|
NONE
|
0
|
10 s
|
|
ESTABLISHED
|
1
|
3600 s
|
|
SYN_SENT
|
2
|
10 s
|
|
SYN & SYN/ACK
|
3
|
10 s
|
|
FIN_WAIT
|
4
|
120 s
|
|
TIME_WAIT
|
5
|
1 s
|
|
CLOSE
|
6
|
10 s
|
|
CLOSE_WAIT
|
7
|
120 s
|
|
LAST_ACK
|
8
|
30 s
|
|
LISTEN
|
9
|
120 s
|
For TCP, the first number (from left to right) is related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy). If flow or proxy inspection is done, then the first digit will be different from 0.
The second digit is the client-side state. The table above correlates the second-digit value with the different TCP session states. For example, when FortiGate receives the SYN packet, the second digit is 2. It changes to 3 when the SYN/ACK packet is received. After the three-way handshake, the state value changes to 1.
When a session is closed by both sides, FortiGate keeps that session in the session table for a few seconds more, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5.
- UDP (proto 17).
Note: Even though UDP is a stateless protocol, the FortiGate still keeps track of 2 different 'states'.
|
State
|
Value
|
|
UDP Reply not seen
|
0
|
|
UDP Reply seen
|
1
|
UDP time to live (TTL) - Expire Timer, is by default 180 seconds.
- SCTP (proto 132).
|
State
|
Value
|
Expire Timer (default)
|
|
SCTP_S_NONE
|
0
|
60 s
|
|
SCTP_S_ESTABLISHED
|
1
|
3600 s
|
|
SCTP_S_CLOSED
|
2
|
10 s
|
|
SCTP_S_COOKIE_WAIT
|
3
|
5 s
|
|
SCTP_S_COOKIE_ECHOED
|
4
|
10 s
|
|
SCTP_S_SHUTDOWN_SENT
|
5
|
30 s
|
|
SCTP_S_SHUTDOWN_RECD
|
6
|
30 s
|
|
SCTP_S_SHUTDOWN_ACK_SENT
|
7
|
3 s
|
|
SCTP_S_MAX
|
8
|
n/a
|
duration: duration of the session (value in seconds).
expire: a countdown from the 'timeout' since the last packet passing via session (value in seconds).
timeout: an indicator of how long the session can stay open in the current state (value in seconds).
*shaper: the traffic shaper profile info (if traffic shaping is utilized).
policy_dir: 0 original direction | 1 reply direction.
tunnel: VPN tunnel name.
helper: name of the utilized session helper.
vlan_cos: Ingress COS values are displayed in the session output in the range 0-7/255, but admin COS values are displayed in the range 8-15/255 even though the value on the wire will be in the range 0-7. When no COS is utilized the value is 255/255.
state: See the table below for a list of states and what is the meaning.
|
State
|
Explanation
|
|
may-dirty
|
Session details are allowed to be altered.
|
|
dirty
|
The session has been altered (requires may-dirty).
|
|
npu
|
The session goes through an acceleration ship.
|
|
npd
|
The session is denied for hardware acceleration.
|
|
npr
|
The session is eligible for hardware acceleration (more info with npu info: offload=x/y).
|
|
rem
|
The session is allowed to be reset in case of a memory shortage.
|
|
eph
|
The session is ephemeral.
|
|
oe
|
The session is part of the IPsec tunnel (from the originator).
|
|
re
|
The session is part of the IPsec tunnel (from the responder).
|
|
local
|
The session is attached to the local FortiGate IP stack.
|
|
br
|
The session is bridged (VDOM is in transparent mode).
|
|
redir
|
The session is redirected to an internal FGT proxy.
|
|
wccp
|
The session is intercepted by wccp process.
|
|
nlb
|
The session is from a load-balanced vip.
|
|
log
|
The session is being logged.
|
|
os
|
The session is shaped in the origin direction.
|
|
rs
|
The session is shaped by the reply direction.
|
|
ndr
|
The session is inspected by IPS signature.
|
|
nds
|
The session is inspected by IPS anomaly.
|
|
auth
|
The session is subject to authentication.
|
|
authed
|
The session was successfully authenticated.
|
|
block
|
The session was re-evaluated to block (policy changed).
|
|
ext
|
(deprecated) The session is handled by a session helper.
|
|
app_ntf
|
Session matched a policy entry that contains 'set block-notification enable'.
|
|
F00
|
After enabling traffic log in policy, the session will have this flag.
|
|
pol_sniff
|
After enabling packet capture in policy, session will have this flag.
|
|
rst_tcp
|
Flag visible when firewall policy has 'timeout-send-rst enabled'.
|
|
synced
|
The session has been synchronized.
|
|
need_sync
|
With 30sec ha sync delay. The session will be synced
when reaching 30 seconds of lifetime.
|
|
complex
|
The session is handled by a session helper.
|
| app_valid
|
The relevant rule has app control profile applied and FGT ipsengine was able to identify the application. (The session will have a field such as app= indicating the application.) |
dev: an interface index can be obtained via 'diagnose netlink interface list':
if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0
NAT information:
hook=out dir=org act=noop 10.5.27.238:16844->173.243.132.165:514(20.30.40.50:20000)
hook=in dir=reply act=noop 173.243.132.165:514->20.30.40.50:20000(10.5.27.238:16844)
LEGEND: <source_IP>:<source_port>-><destination_IP>:<destination_port>(<NAT_IP>:<NAT_port>).
- When applying SNAT, NAT information overwrites the <source_IP>:<source_port>.
- When applying DNAT, NAT information overwrites the <destination_IP>:<destination_port>.
policy_id: policy ID, which is utilized for the traffic.
auth_info: indicates if the session holds any authentication data (1) or not (0).
vd: VDOM index can be obtained via 'diagnose sys vd list':
name=root/root index=0 enabled use=237 rt_num=144 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0
serial: unique session identifier.
tos:
- The policy has tos/dscp configured to override this value on a packet.
- A proxy-based feature is enabled and it is necessary to preserve the tos/dscp on packets in the flow by caching the tos/dscp on the kernel session from the original packet and then setting it on any subsequent packets that are generated by the proxy.
app: application ID.
url_cat: See the following table:
|
Potentially Liable:
|
48 Personal Vehicles
|
|
1 Drug Abuse
|
54 Dynamic Content
|
|
3 Hacking
|
55 Meaningless Content
|
|
4 Illegal or Unethical
|
58 Folklore
|
|
5 Discrimination
|
68 Web Chat
|
|
6 Explicit Violence
|
69 Instant Messaging
|
|
59 Proxy Avoidance
|
70 Newsgroups and Message Boards
|
|
62 Plagiarism
|
71 Digital Postcards
|
|
83 Child Abuse
|
77 Child Education
|
|
Bandwidth Consuming:
|
78 Real Estate
|
|
19 Freeware and Software Downloads
|
79 Restaurant and Dining
|
|
24 File Sharing and Storage
|
80 Personal Websites and Blogs
|
|
25 Streaming Media and Download
|
82 Content Servers
|
|
72 Peer-to-peer File Sharing
|
85 Domain Parking
|
|
75 Internet Radio and TV
|
87 Personal Privacy
|
|
76 Internet Telephony
|
89 Auction
|
|
General Interest - Personal:
|
General Interest - Business:
|
|
17 Advertising
|
31 Finance and Banking
|
|
18 Brokerage and Trading
|
41 Search Engines and Portals
|
|
20 Games
|
43 General Organizations
|
|
23 Web-based Email
|
49 Business
|
|
28 Entertainment
|
50 Information and Computer Security
|
|
29 Arts and Culture
|
51 Government and Legal Organizations
|
|
30 Education
|
52 Information Technology
|
|
33 Health and Wellness
|
53 Armed Forces
|
|
34 Job Search
|
56 Web Hosting
|
|
35 Medicine
|
81 Secure Websites
|
|
36 News and Media
|
84 Web-based Applications
|
|
37 Social Networking
|
92 Charitable Organizations
|
|
38 Political Organizations
|
93 Remote Access
|
|
39 Reference
|
94 Web Analytics
|
|
40 Global Religion
|
95 Online Meeting
|
|
42 Shopping
|
0 Unrated
|
|
44 Society and Lifestyles
|
Local Categories:
|
|
46 Sports
|
140 custom1
|
|
47 Travel
|
141 custom2
|
Related articles:
