When listing the desired sessions (diag sys session list), focus on the 'dev' section in order to understand how the traffic is flowing across FortiGate interfaces.

The 'dev' section information is interpreted as below:

dev=<ingress interface index of the originating traffic> -> <egress interface index of the originating traffic> / <ingress interface index of the replying traffic> -> <egress interface index of the replying traffic>

With the interface index obtained earlier, ingress and egress interfaces can be determined with the following command:

diagnose netlink interface list

Example from the session list information obtained earlier (dev=5->3/3->5):

It indicates originating traffic flows from port3->port1 and replying traffic flows from port1->port3 on FortiGate.

In certain cases where the 'root' interface is associated with a specific session, this indicates that the traffic is local traffic (local-in or local-out traffic).

The 'root' interface has an interface index of 14 from the following command:

diagnose netlink interface list

Example of local-out traffic (dev=14->x/x->14):

Example of local-in traffic (dev=x->14/14->x):

Use grep to filter the interface.

Example:

diag netlink interface list | grep "index=3 "
if=port1 family=00 type=1 index=3 mtu=1500 link=0 master=0

diag netlink interface list | grep "index=14 "
if=root family=00 type=772 index=14 mtu=16436 link=0 master=0