The session Table can tell me if a flow is ok or not?
when I check the session table using the command "diagnose sys session list", how can I check if the flow is working or not? I mean, what about if the flow goes through the firewall but it doesn't come back?
just to give you an example, the Juniper SRX firewall writes this information in its session table, but what about Fortinet? in the "diagnose sys session list" output where is written this information?
homefgt (root) # diag firewall iprope show 0x100004 1idx=1 pkts/bytes=55045482/48909320872 asic_pkts/asic_bytes=0/0 flag=0x0 hit count:234899 first:2021-04-29 17:19:04 last:2021-05-10 00:05:00 established session count:108 first est:2021-04-29 17:19:04 last est:2021-05-10 00:05:00 That would be the same as show security policy hit-count. The two platform are similar but done in a fashion slightly different. I look at fortinet as an improvement over screenOS imho. Ken Felix
So, can I check it from the bytes count? If I have something in each directions, it means that the flow goes through the firewall and come back, otherwise there is an issue, right?
statistic(bytes/packets/allow_err): org=2223960/37066/1 reply=2223840/37064/1
In the session table can I see the blocked flows?
Can the flows with issues be blocked by a policy too? Can I see the deny policy id right?
Generally, the more convenient way to observe is in the traffic log in the GUI：
config firewall policy edit 1 set name "to-internet" set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "certificate-inspection" set av-profile "default" set logtraffic all // enable logtraffic set logtraffic-start enable set nat enable next end
After waiting for the traffic to pass through and then finish, check the corresponding traffic log:
For the default policy 0 with packet drop for the traffic log, we need to enable the log that hides the packet loss policy (default is disabled). After enabling it, we can see the log information of the packet loss traffic:
config log setting set fwpolicy-implicit-log enable end
The lost packet traffic does not generate a session, so it can only be observed through the log. Usually, we find that it is unreasonable during the operation and maintenance. It is recommended to use sniffer and debug flow tools to cooperate with the troubleshooting.
diag debug flow and the policy in question would give details on the flow. This would be similar to monitor security in a SRX. Just be specific if you have a certain traffic that your expecting src/dst.
If you enable deny, what happens is you waste memory logging denies and specially with a lot of denies