Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TurboC
New Contributor

The session Table can tell me if a flow is ok or not?

when I check the session table using the command "diagnose sys session list", how can I check if the flow is working or not? I mean, what about if the flow goes through the firewall but it doesn't come back?

 

just to give you an example, the Juniper SRX firewall writes this information in its session table, but what about Fortinet? in the "diagnose sys session list" output where is written this information?

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor II

fg50e-utm (root) # diag sys session filter dst 8.8.8.8 fg50e-utm (root) # diag sys session list session info: proto=1 proto_state=00 duration=1112682 expire=56 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255 state=log local nds statistic(bytes/packets/allow_err): org=2223960/37066/1 reply=2223840/37064/1 tuples=2 tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 1/0 orgin->sink: org out->post, reply pre->in dev=0->0/76->12 gwy=0.0.0.0/[home_ip] hook=out dir=org act=noop [home_ip]:59999->8.8.8.8:8(0.0.0.0:0) hook=in dir=reply act=noop 8.8.8.8:59999->[home_ip]:0(0.0.0.0:0) misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=00449fd0 tos=ff/ff app_list=0 app=0 url_cat=0 vwl_mbr_seq=0 vwl_service_id=0 rpdb_link_id=00000000 ngfwid=n/a dd_type=0 dd_mode=0 total session 1

emnoc
Esteemed Contributor III

OP the cmd is similar show security flow for junos. You can get similar diagnose to matches and counts. You can see these in the bytes count field.

 

e.g

 

ession info: proto=17 proto_state=01 duration=12 expire=176 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty 

statistic(bytes/packets/allow_err): org=5977/13/1 reply=3318/14/1 tuples=2

tx speed(Bps/kbps): 97/0 rx speed(Bps/kbps): 28/0

orgin->sink: org pre->post, reply pre->post dev=21->5/5->21 gwy=199.18.24.19/192.168.1.114

hook=post dir=org act=snat 192.168.1.114:49554->142.250.115.190:443(199.188.254.166:49554)

hook=pre dir=reply act=dnat 142.250.115.190:443->199.18.24.66:49554(192.168.1.114:49554)

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0

serial=0008b1c1 tos=ff/ff app_list=0 app=0 url_cat=0

vwl_mbr_seq=0 vwl_service_id=0

rpdb_link_id=00000000 ngfwid=n/a

dd_type=0 dd_mode=0

 

Also you can see hit-counts in a similar fashion 

 

homefgt (root) # diag firewall iprope show 0x100004 1

idx=1 pkts/bytes=55045482/48909320872 asic_pkts/asic_bytes=0/0 flag=0x0 hit count:234899

    first:2021-04-29 17:19:04 last:2021-05-10 00:05:00

 established session count:108

    first est:2021-04-29 17:19:04 last est:2021-05-10 00:05:00

 

That would be the same as show security policy hit-count. The two platform are similar but done in a fashion slightly different. I look at fortinet as an improvement over screenOS imho.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

TurboC
New Contributor

So, can I check it from the bytes count? If I have something in each directions, it means that the flow goes through the firewall and come back, otherwise there is an issue, right? statistic(bytes/packets/allow_err): org=2223960/37066/1 reply=2223840/37064/1 In the session table can I see the blocked flows? Can the flows with issues be blocked by a policy too? Can I see the deny policy id right?
Kangming

Hi 

If we want to analyze only through the session, We can observe these two fields in the session:

statistic(bytes/packets/allow_err):  tx speed(Bps/kbps): 

 

Example of a successful communication session:

Inside-R#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 23/24/28 ms

 

FGT1 # diagnose sys session filter proto 1
FGT1 # diagnose sys session list
session info: proto=1 proto_state=00 duration=16 expire=43 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=Per_1_M
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty per_ip f00 log-start
statistic(bytes/packets/allow_err): org=500/5/1 reply=480/5/1 tuples=2
tx speed(Bps/kbps): 30/0 rx speed(Bps/kbps): 29/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=202.100.1.254/192.168.100.100
hook=post dir=org act=snat 192.168.100.100:1->8.8.8.8:8(202.100.1.1:60417)
hook=pre dir=reply act=dnat 8.8.8.8:60417->202.100.1.1:0(192.168.100.100:1)
src_mac=aa:bb:cc:00:60:00
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00000091 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000
total session 1
FGT1 #

 

For example a conversation cannot be communicated:

Inside-R#ping 8.8.8.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

FGT1 # diagnose sys session filter proto 1
FGT1 # diagnose sys session list
session info: proto=1 proto_state=00 duration=14 expire=53 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=Per_1_M
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty per_ip f00 log-start
statistic(bytes/packets/allow_err): org=500/5/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 35/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=202.100.1.254/0.0.0.0
hook=post dir=org act=snat 192.168.100.100:2->8.8.8.9:8(202.100.1.1:60418)
hook=pre dir=reply act=dnat 8.8.8.9:60418->202.100.1.1:0(192.168.100.100:2)
src_mac=aa:bb:cc:00:60:00
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00000093 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000
total session 1
FGT1 #

 

Generally, the more convenient way to observe is in the traffic log in the GUI:

config firewall policy
edit 1
set name "to-internet"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set logtraffic all     // enable logtraffic
set logtraffic-start enable
set nat enable
next
end

 

 

After waiting for the traffic to pass through and then finish, check the corresponding traffic log:

For the default policy 0 with packet drop for the traffic log, we need to enable the log that hides the packet loss policy (default is disabled). After enabling it, we can see the log information of the packet loss traffic:

config log setting
set fwpolicy-implicit-log enable
end

image:https://ibb.co/jTGXh7h

The lost packet traffic does not generate a session, so it can only be observed through the log. Usually, we find that it is unreasonable during the operation and maintenance. It is recommended to use sniffer and debug flow tools to cooperate with the troubleshooting. 

https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD30038&languageId=

Thanks

Kangming

emnoc
Esteemed Contributor III

You have a better method imho

 

 

diag debug flow and the policy in question would give details on the flow. This would be similar to monitor security in a SRX. Just be specific if you have a certain traffic that your expecting src/dst.

 

If you enable deny, what happens is you waste memory logging denies and specially with a lot of denies

 

fortios                         junos

"diag dbeug flow" == "monitor security flow"

"diag sys session list"   ==  "show security flow session"

"execute log display"      ==   " show log messages"

"diag firewall iproper show 0x10004 "   == "show security policies hit-count"

 

I hope that helps but I would study the above cmds and get comfortable with them imho.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan