when I check the session table using the command "diagnose sys session list", how can I check if the flow is working or not? I mean, what about if the flow goes through the firewall but it doesn't come back?
just to give you an example, the Juniper SRX firewall writes this information in its session table, but what about Fortinet? in the "diagnose sys session list" output where is written this information?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
fg50e-utm (root) # diag sys session filter dst 8.8.8.8 fg50e-utm (root) # diag sys session list session info: proto=1 proto_state=00 duration=1112682 expire=56 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255 state=log local nds statistic(bytes/packets/allow_err): org=2223960/37066/1 reply=2223840/37064/1 tuples=2 tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 1/0 orgin->sink: org out->post, reply pre->in dev=0->0/76->12 gwy=0.0.0.0/[home_ip] hook=out dir=org act=noop [home_ip]:59999->8.8.8.8:8(0.0.0.0:0) hook=in dir=reply act=noop 8.8.8.8:59999->[home_ip]:0(0.0.0.0:0) misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=00449fd0 tos=ff/ff app_list=0 app=0 url_cat=0 vwl_mbr_seq=0 vwl_service_id=0 rpdb_link_id=00000000 ngfwid=n/a dd_type=0 dd_mode=0 total session 1
OP the cmd is similar show security flow for junos. You can get similar diagnose to matches and counts. You can see these in the bytes count field.
e.g
ession info: proto=17 proto_state=01 duration=12 expire=176 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4origin-shaper=reply-shaper=per_ip_shaper=class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255state=may_dirty statistic(bytes/packets/allow_err): org=5977/13/1 reply=3318/14/1 tuples=2tx speed(Bps/kbps): 97/0 rx speed(Bps/kbps): 28/0orgin->sink: org pre->post, reply pre->post dev=21->5/5->21 gwy=199.18.24.19/192.168.1.114hook=post dir=org act=snat 192.168.1.114:49554->142.250.115.190:443(199.188.254.166:49554)hook=pre dir=reply act=dnat 142.250.115.190:443->199.18.24.66:49554(192.168.1.114:49554)misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0serial=0008b1c1 tos=ff/ff app_list=0 app=0 url_cat=0vwl_mbr_seq=0 vwl_service_id=0rpdb_link_id=00000000 ngfwid=n/add_type=0 dd_mode=0
Also you can see hit-counts in a similar fashion
homefgt (root) # diag firewall iprope show 0x100004 1idx=1 pkts/bytes=55045482/48909320872 asic_pkts/asic_bytes=0/0 flag=0x0 hit count:234899 first:2021-04-29 17:19:04 last:2021-05-10 00:05:00 established session count:108 first est:2021-04-29 17:19:04 last est:2021-05-10 00:05:00 That would be the same as show security policy hit-count. The two platform are similar but done in a fashion slightly different. I look at fortinet as an improvement over screenOS imho. Ken Felix
PCNSE
NSE
StrongSwan
Hi
If we want to analyze only through the session, We can observe these two fields in the session:
statistic(bytes/packets/allow_err): tx speed(Bps/kbps):
Example of a successful communication session:
Inside-R#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 23/24/28 ms
FGT1 # diagnose sys session filter proto 1
FGT1 # diagnose sys session list
session info: proto=1 proto_state=00 duration=16 expire=43 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=Per_1_M
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty per_ip f00 log-start
statistic(bytes/packets/allow_err): org=500/5/1 reply=480/5/1 tuples=2
tx speed(Bps/kbps): 30/0 rx speed(Bps/kbps): 29/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=202.100.1.254/192.168.100.100
hook=post dir=org act=snat 192.168.100.100:1->8.8.8.8:8(202.100.1.1:60417)
hook=pre dir=reply act=dnat 8.8.8.8:60417->202.100.1.1:0(192.168.100.100:1)
src_mac=aa:bb:cc:00:60:00
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00000091 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000
total session 1
FGT1 #
For example a conversation cannot be communicated:
Inside-R#ping 8.8.8.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.9, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
FGT1 # diagnose sys session filter proto 1
FGT1 # diagnose sys session list
session info: proto=1 proto_state=00 duration=14 expire=53 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=Per_1_M
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty per_ip f00 log-start
statistic(bytes/packets/allow_err): org=500/5/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 35/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=202.100.1.254/0.0.0.0
hook=post dir=org act=snat 192.168.100.100:2->8.8.8.9:8(202.100.1.1:60418)
hook=pre dir=reply act=dnat 8.8.8.9:60418->202.100.1.1:0(192.168.100.100:2)
src_mac=aa:bb:cc:00:60:00
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00000093 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000
total session 1
FGT1 #
Generally, the more convenient way to observe is in the traffic log in the GUI:
config firewall policy
edit 1
set name "to-internet"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set logtraffic all // enable logtraffic
set logtraffic-start enable
set nat enable
next
end
After waiting for the traffic to pass through and then finish, check the corresponding traffic log:
For the default policy 0 with packet drop for the traffic log, we need to enable the log that hides the packet loss policy (default is disabled). After enabling it, we can see the log information of the packet loss traffic:
config log setting
set fwpolicy-implicit-log enable
end
image:https://ibb.co/jTGXh7h
The lost packet traffic does not generate a session, so it can only be observed through the log. Usually, we find that it is unreasonable during the operation and maintenance. It is recommended to use sniffer and debug flow tools to cooperate with the troubleshooting.
https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD30038&languageId=
Thanks
Kangming
You have a better method imho
diag debug flow and the policy in question would give details on the flow. This would be similar to monitor security in a SRX. Just be specific if you have a certain traffic that your expecting src/dst.
If you enable deny, what happens is you waste memory logging denies and specially with a lot of denies
fortios junos
"diag dbeug flow" == "monitor security flow"
"diag sys session list" == "show security flow session"
"execute log display" == " show log messages"
"diag firewall iproper show 0x10004 " == "show security policies hit-count"
I hope that helps but I would study the above cmds and get comfortable with them imho.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.