FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anderson_yee
Staff
Staff
Article Id 313940
Description This article describes how to identify the ingress and egress interface of traffic flow from session list.
Scope FortiOS.
Solution

When listing the desired sessions (diag sys session list), focus on the 'dev' section in order to understand how the traffic is flowing across FortiGate interfaces.

The 'dev' section information is interpreted as below:


dev=<ingress interface index of the originating traffic> -> <egress interface index of the originating traffic> / <ingress interface index of the replying traffic> -> <egress interface index of the replying traffic>


KB1.png


With the interface index obtained earlier, ingress and egress interfaces can be determined with the following command:

 

diagnose netlink interface list


KB2.png
Example from the session list information obtained earlier (dev=5->3/3->5):


It indicates originating traffic flows from port3->port1 and replying traffic flows from port1->port3 on FortiGate.


In certain cases where the 'root' interface is associated with a specific session, this indicates that the traffic is local traffic (local-in or local-out traffic).

The 'root' interface has an interface index of 14 from the following command:

 

diagnose netlink interface list


KB3.png
Example of local-out traffic (dev=14->x/x->14):


KB4.png
Example of local-in traffic (dev=x->14/14->x):


KB5.png