FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191159


This article describes how to utilize the ‘grep’ command in combination with session list to get more detailed statistics.





FortiGate CLI allows using the ‘grep’ command to filter specified output for specified strings.

As an example, 'show full-configuration | grep ‘<IP address>’' will show if the IP address specified occurs in the FortiGate configuration at any point.
Parameters can also be used, and in combination with the ‘dia sys session list’ command can allow a deeper insight into what sessions are present.



diag sys session list | grep –c ‘dirty may_dirty’


This will count how many dirty sessions are present in the (optionally filtered) session table.
Dirty sessions have the status ‘dirty’, and all sessions have the status ‘may_dirty’.
Searching for ‘dirty may_dirty’ will print the dirty sessions; using the parameter ‘-c’ will count the occurrences instead.



diag sys session list | grep -B 5 -A 10 local


This will print all local sessions that ‘diag sys session list’ which include in its output.
It filters for ‘local’ which is a session state, and then prints the preceding 5 lines and the trailing 10 lines for each occurrence to print the full session information.

The combination of ‘diag sys session filter’ to pre-filter the sessions ‘diag sys session list’ will dump, and then using ‘grep’ to filter/count particular occurrences of sessions.

diag sys session filter’ can be used to constrain the possible matches based on source IP/destination IP, soure port/destination port, policy ID, duration, NAT IP or NAT port.
‘grep’ can be used afterwards to narrow down session states, authenticated users and other details that the ‘session filter’ command does not allow for.

Other parameters may be used as well:

Usage: grep [-invfcABC] PATTERN.


-i Ignore case distinctions.

-n Print line number with output lines.
-v Select non-matching lines.
-f Print fortinet config context.
-c Only print count of matching lines.
-A Print NUM lines of trailing context.
-B Print NUM lines of leading context.
-C Print NUM lines of output context.


On new firmware versions as v7.x, new grep options were added. Here is the output collected from a FortiGate running v7.0.12:


Usage: grep [-ilHhnqvscABC] PATTERN [FILE...]
-i Ignore case distinctions
-l List names of files that match
-H Prefix output lines with filename where match was found
-h Suppress the prefixing filename on output
-n Print line number with output lines
-q Quiet
-v Select non-matching lines
-s Suppress file open/read error messages
-c Only print count of matching lines
-A Print NUM lines of trailing context
-B Print NUM lines of leading context
-C Print NUM lines of output context


Related articles:

Troubleshooting Tip: FortiGate session table information

Technical Tip: The usage of "grep" filter command on the FortiGate CLI